Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Swift CopyMT103.exe

Overview

General Information

Sample name:Payment Swift CopyMT103.exe
Analysis ID:1586045
MD5:bed1442a4f50a01ca78baffd48313104
SHA1:4920449ae36ec9f4954a60291793639a7f53223e
SHA256:24777f80f39fba9da6a66bb0804bd3c3a510126f583eefb8918e24fa5fdeb69b
Tags:exeuser-malrpt
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment Swift CopyMT103.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\Payment Swift CopyMT103.exe" MD5: BED1442A4F50A01CA78BAFFD48313104)
    • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8028 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7792 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Payment Swift CopyMT103.exe (PID: 7912 cmdline: "C:\Users\user\Desktop\Payment Swift CopyMT103.exe" MD5: BED1442A4F50A01CA78BAFFD48313104)
  • AASHNosznogz.exe (PID: 7972 cmdline: C:\Users\user\AppData\Roaming\AASHNosznogz.exe MD5: BED1442A4F50A01CA78BAFFD48313104)
    • schtasks.exe (PID: 8180 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AASHNosznogz.exe (PID: 7340 cmdline: "C:\Users\user\AppData\Roaming\AASHNosznogz.exe" MD5: BED1442A4F50A01CA78BAFFD48313104)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["teebro1800.dynamic-dns.net:2195:1", "teewire.ydns.eu:2195:1"], "Assigned name": "06wire2025", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-E00CAV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.1457396479.000000000166A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1429290912.00000000071A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x67ea8:$a1: Remcos restarted by watchdog!
          • 0x68400:$a3: %02i:%02i:%02i:%03i
          • 0x68785:$a4: * Remcos v
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Payment Swift CopyMT103.exe.71a0000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.Payment Swift CopyMT103.exe.71a0000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x661e0:$a1: Remcos restarted by watchdog!
                • 0x66738:$a3: %02i:%02i:%02i:%03i
                • 0x66abd:$a4: * Remcos v
                0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpackREMCOS_RAT_variantsunknownunknown
                • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
                • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6020c:$str_b2: Executing file:
                • 0x61328:$str_b3: GetDirectListeningPort
                • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x60e30:$str_b7: \update.vbs
                • 0x60234:$str_b9: Downloaded file:
                • 0x60220:$str_b10: Downloading file:
                • 0x602c4:$str_b12: Failed to upload file:
                • 0x612f0:$str_b13: StartForward
                • 0x61310:$str_b14: StopForward
                • 0x60dd8:$str_b15: fso.DeleteFile "
                • 0x60d6c:$str_b16: On Error Resume Next
                • 0x60e08:$str_b17: fso.DeleteFolder "
                • 0x602b4:$str_b18: Uploaded file:
                • 0x60274:$str_b19: Unable to delete:
                • 0x60da0:$str_b20: while fso.FileExists("
                • 0x60749:$str_c0: [Firefox StoredLogins not found]
                Click to see the 20 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Swift CopyMT103.exe", ParentImage: C:\Users\user\Desktop\Payment Swift CopyMT103.exe, ParentProcessId: 7572, ParentProcessName: Payment Swift CopyMT103.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", ProcessId: 7772, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Swift CopyMT103.exe", ParentImage: C:\Users\user\Desktop\Payment Swift CopyMT103.exe, ParentProcessId: 7572, ParentProcessName: Payment Swift CopyMT103.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", ProcessId: 7772, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\AASHNosznogz.exe, ParentImage: C:\Users\user\AppData\Roaming\AASHNosznogz.exe, ParentProcessId: 7972, ParentProcessName: AASHNosznogz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp", ProcessId: 8180, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Swift CopyMT103.exe", ParentImage: C:\Users\user\Desktop\Payment Swift CopyMT103.exe, ParentProcessId: 7572, ParentProcessName: Payment Swift CopyMT103.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp", ProcessId: 7792, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Swift CopyMT103.exe", ParentImage: C:\Users\user\Desktop\Payment Swift CopyMT103.exe, ParentProcessId: 7572, ParentProcessName: Payment Swift CopyMT103.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe", ProcessId: 7772, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Swift CopyMT103.exe", ParentImage: C:\Users\user\Desktop\Payment Swift CopyMT103.exe, ParentProcessId: 7572, ParentProcessName: Payment Swift CopyMT103.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp", ProcessId: 7792, ProcessName: schtasks.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: E7 0B 00 39 B3 FE 5C 5F 3F 4C EF 3C C9 95 6F 73 2A 5C 07 2B 55 D5 39 1F DF FC 48 E0 18 D7 97 6F 47 1B D6 D1 97 27 9A 8E 92 3C 7E 11 1A A6 A3 ED 41 E0 54 93 84 CE 3A 91 49 B4 33 D0 7C 07 54 86 86 A6 D0 DA 11 E0 B7 82 9E A0 DA 29 93 0D B4 7C 1B E6 4C 39 41 3C 41 29 BA 57 12 0C BB B4 DB FA 46 53 0F 1A 69 77 F1 11 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment Swift CopyMT103.exe, ProcessId: 7912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-E00CAV\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T16:54:07.958005+010020365941Malware Command and Control Activity Detected192.168.2.849709147.124.212.1722195TCP
                2025-01-08T16:54:09.678969+010020365941Malware Command and Control Activity Detected192.168.2.849710147.124.212.1722195TCP
                2025-01-08T16:54:12.226350+010020365941Malware Command and Control Activity Detected192.168.2.849713147.124.212.1722195TCP
                2025-01-08T16:54:13.772660+010020365941Malware Command and Control Activity Detected192.168.2.849714147.124.212.1722195TCP
                2025-01-08T16:54:16.478783+010020365941Malware Command and Control Activity Detected192.168.2.849715147.124.212.1722195TCP
                2025-01-08T16:54:18.114715+010020365941Malware Command and Control Activity Detected192.168.2.849716147.124.212.1722195TCP
                2025-01-08T16:54:20.651343+010020365941Malware Command and Control Activity Detected192.168.2.849717147.124.212.1722195TCP
                2025-01-08T16:54:22.166505+010020365941Malware Command and Control Activity Detected192.168.2.849720147.124.212.1722195TCP
                2025-01-08T16:54:24.711004+010020365941Malware Command and Control Activity Detected192.168.2.849721147.124.212.1722195TCP
                2025-01-08T16:54:26.212376+010020365941Malware Command and Control Activity Detected192.168.2.849722147.124.212.1722195TCP
                2025-01-08T16:54:28.837950+010020365941Malware Command and Control Activity Detected192.168.2.849723147.124.212.1722195TCP
                2025-01-08T16:54:30.379694+010020365941Malware Command and Control Activity Detected192.168.2.849724147.124.212.1722195TCP
                2025-01-08T16:54:32.896087+010020365941Malware Command and Control Activity Detected192.168.2.849725147.124.212.1722195TCP
                2025-01-08T16:54:34.399739+010020365941Malware Command and Control Activity Detected192.168.2.849726147.124.212.1722195TCP
                2025-01-08T16:54:36.896953+010020365941Malware Command and Control Activity Detected192.168.2.849727147.124.212.1722195TCP
                2025-01-08T16:54:38.380028+010020365941Malware Command and Control Activity Detected192.168.2.849728147.124.212.1722195TCP
                2025-01-08T16:54:41.070235+010020365941Malware Command and Control Activity Detected192.168.2.849729147.124.212.1722195TCP
                2025-01-08T16:54:42.583220+010020365941Malware Command and Control Activity Detected192.168.2.849730147.124.212.1722195TCP
                2025-01-08T16:54:45.123012+010020365941Malware Command and Control Activity Detected192.168.2.849731147.124.212.1722195TCP
                2025-01-08T16:54:46.632266+010020365941Malware Command and Control Activity Detected192.168.2.849732147.124.212.1722195TCP
                2025-01-08T16:54:49.130999+010020365941Malware Command and Control Activity Detected192.168.2.849733147.124.212.1722195TCP
                2025-01-08T16:54:50.630818+010020365941Malware Command and Control Activity Detected192.168.2.849734147.124.212.1722195TCP
                2025-01-08T16:54:53.132005+010020365941Malware Command and Control Activity Detected192.168.2.849735147.124.212.1722195TCP
                2025-01-08T16:54:54.630874+010020365941Malware Command and Control Activity Detected192.168.2.849736147.124.212.1722195TCP
                2025-01-08T16:54:57.146261+010020365941Malware Command and Control Activity Detected192.168.2.849737147.124.212.1722195TCP
                2025-01-08T16:54:58.646111+010020365941Malware Command and Control Activity Detected192.168.2.849738147.124.212.1722195TCP
                2025-01-08T16:55:01.193409+010020365941Malware Command and Control Activity Detected192.168.2.849740147.124.212.1722195TCP
                2025-01-08T16:55:02.677218+010020365941Malware Command and Control Activity Detected192.168.2.849741147.124.212.1722195TCP
                2025-01-08T16:55:05.227966+010020365941Malware Command and Control Activity Detected192.168.2.849742147.124.212.1722195TCP
                2025-01-08T16:55:06.792701+010020365941Malware Command and Control Activity Detected192.168.2.849743147.124.212.1722195TCP
                2025-01-08T16:55:09.306270+010020365941Malware Command and Control Activity Detected192.168.2.849744147.124.212.1722195TCP
                2025-01-08T16:55:10.822967+010020365941Malware Command and Control Activity Detected192.168.2.849745147.124.212.1722195TCP
                2025-01-08T16:55:13.428226+010020365941Malware Command and Control Activity Detected192.168.2.849746147.124.212.1722195TCP
                2025-01-08T16:55:14.928086+010020365941Malware Command and Control Activity Detected192.168.2.849747147.124.212.1722195TCP
                2025-01-08T16:55:17.429729+010020365941Malware Command and Control Activity Detected192.168.2.849748147.124.212.1722195TCP
                2025-01-08T16:55:18.928259+010020365941Malware Command and Control Activity Detected192.168.2.849749147.124.212.1722195TCP
                2025-01-08T16:55:21.431011+010020365941Malware Command and Control Activity Detected192.168.2.849750147.124.212.1722195TCP
                2025-01-08T16:55:22.929093+010020365941Malware Command and Control Activity Detected192.168.2.849751147.124.212.1722195TCP
                2025-01-08T16:55:25.431237+010020365941Malware Command and Control Activity Detected192.168.2.849752147.124.212.1722195TCP
                2025-01-08T16:55:26.930990+010020365941Malware Command and Control Activity Detected192.168.2.849753147.124.212.1722195TCP
                2025-01-08T16:55:29.428980+010020365941Malware Command and Control Activity Detected192.168.2.849754147.124.212.1722195TCP
                2025-01-08T16:55:30.949004+010020365941Malware Command and Control Activity Detected192.168.2.849755147.124.212.1722195TCP
                2025-01-08T16:55:33.463269+010020365941Malware Command and Control Activity Detected192.168.2.849756147.124.212.1722195TCP
                2025-01-08T16:55:34.959627+010020365941Malware Command and Control Activity Detected192.168.2.849757147.124.212.1722195TCP
                2025-01-08T16:55:37.547012+010020365941Malware Command and Control Activity Detected192.168.2.849758147.124.212.1722195TCP
                2025-01-08T16:55:39.060999+010020365941Malware Command and Control Activity Detected192.168.2.849759147.124.212.1722195TCP
                2025-01-08T16:55:41.569640+010020365941Malware Command and Control Activity Detected192.168.2.849760147.124.212.1722195TCP
                2025-01-08T16:55:43.075060+010020365941Malware Command and Control Activity Detected192.168.2.849761147.124.212.1722195TCP
                2025-01-08T16:55:45.760941+010020365941Malware Command and Control Activity Detected192.168.2.849762147.124.212.1722195TCP
                2025-01-08T16:55:47.256445+010020365941Malware Command and Control Activity Detected192.168.2.849763147.124.212.1722195TCP
                2025-01-08T16:55:49.760988+010020365941Malware Command and Control Activity Detected192.168.2.849764147.124.212.1722195TCP
                2025-01-08T16:55:51.290039+010020365941Malware Command and Control Activity Detected192.168.2.849765147.124.212.1722195TCP
                2025-01-08T16:55:53.805704+010020365941Malware Command and Control Activity Detected192.168.2.849766147.124.212.1722195TCP
                2025-01-08T16:55:55.325020+010020365941Malware Command and Control Activity Detected192.168.2.849767147.124.212.1722195TCP
                2025-01-08T16:55:57.901032+010020365941Malware Command and Control Activity Detected192.168.2.849768147.124.212.1722195TCP
                2025-01-08T16:55:59.414141+010020365941Malware Command and Control Activity Detected192.168.2.849769147.124.212.1722195TCP
                2025-01-08T16:56:01.932713+010020365941Malware Command and Control Activity Detected192.168.2.849770147.124.212.1722195TCP
                2025-01-08T16:56:03.480999+010020365941Malware Command and Control Activity Detected192.168.2.849771147.124.212.1722195TCP
                2025-01-08T16:56:05.995029+010020365941Malware Command and Control Activity Detected192.168.2.849772147.124.212.1722195TCP
                2025-01-08T16:56:07.512998+010020365941Malware Command and Control Activity Detected192.168.2.849773147.124.212.1722195TCP
                2025-01-08T16:56:10.040366+010020365941Malware Command and Control Activity Detected192.168.2.849774147.124.212.1722195TCP
                2025-01-08T16:56:11.554844+010020365941Malware Command and Control Activity Detected192.168.2.849775147.124.212.1722195TCP
                2025-01-08T16:56:14.093963+010020365941Malware Command and Control Activity Detected192.168.2.849776147.124.212.1722195TCP
                2025-01-08T16:56:15.587152+010020365941Malware Command and Control Activity Detected192.168.2.849777147.124.212.1722195TCP
                2025-01-08T16:56:18.485041+010020365941Malware Command and Control Activity Detected192.168.2.849778147.124.212.1722195TCP
                2025-01-08T16:56:20.094251+010020365941Malware Command and Control Activity Detected192.168.2.849779147.124.212.1722195TCP
                2025-01-08T16:56:22.605024+010020365941Malware Command and Control Activity Detected192.168.2.849780147.124.212.1722195TCP
                2025-01-08T16:56:24.215995+010020365941Malware Command and Control Activity Detected192.168.2.849781147.124.212.1722195TCP
                2025-01-08T16:56:26.667563+010020365941Malware Command and Control Activity Detected192.168.2.849782147.124.212.1722195TCP
                2025-01-08T16:56:28.165057+010020365941Malware Command and Control Activity Detected192.168.2.849783147.124.212.1722195TCP
                2025-01-08T16:56:30.619328+010020365941Malware Command and Control Activity Detected192.168.2.849784147.124.212.1722195TCP
                2025-01-08T16:56:32.158610+010020365941Malware Command and Control Activity Detected192.168.2.849785147.124.212.1722195TCP
                2025-01-08T16:56:34.538689+010020365941Malware Command and Control Activity Detected192.168.2.849786147.124.212.1722195TCP
                2025-01-08T16:56:36.075634+010020365941Malware Command and Control Activity Detected192.168.2.849787147.124.212.1722195TCP
                2025-01-08T16:56:38.414494+010020365941Malware Command and Control Activity Detected192.168.2.849788147.124.212.1722195TCP
                2025-01-08T16:56:39.914469+010020365941Malware Command and Control Activity Detected192.168.2.849789147.124.212.1722195TCP
                2025-01-08T16:56:42.261448+010020365941Malware Command and Control Activity Detected192.168.2.849790147.124.212.1722195TCP
                2025-01-08T16:56:43.775249+010020365941Malware Command and Control Activity Detected192.168.2.849791147.124.212.1722195TCP
                2025-01-08T16:56:46.089585+010020365941Malware Command and Control Activity Detected192.168.2.849792147.124.212.1722195TCP
                2025-01-08T16:56:47.606794+010020365941Malware Command and Control Activity Detected192.168.2.849793147.124.212.1722195TCP
                2025-01-08T16:56:50.479071+010020365941Malware Command and Control Activity Detected192.168.2.849794147.124.212.1722195TCP
                2025-01-08T16:56:51.993155+010020365941Malware Command and Control Activity Detected192.168.2.849795147.124.212.1722195TCP
                2025-01-08T16:56:54.245003+010020365941Malware Command and Control Activity Detected192.168.2.849796147.124.212.1722195TCP
                2025-01-08T16:56:55.759188+010020365941Malware Command and Control Activity Detected192.168.2.849797147.124.212.1722195TCP
                2025-01-08T16:56:58.007506+010020365941Malware Command and Control Activity Detected192.168.2.849798147.124.212.1722195TCP
                2025-01-08T16:56:59.511143+010020365941Malware Command and Control Activity Detected192.168.2.849799147.124.212.1722195TCP
                2025-01-08T16:57:01.745196+010020365941Malware Command and Control Activity Detected192.168.2.849800147.124.212.1722195TCP
                2025-01-08T16:57:03.246273+010020365941Malware Command and Control Activity Detected192.168.2.849801147.124.212.1722195TCP
                2025-01-08T16:57:05.433098+010020365941Malware Command and Control Activity Detected192.168.2.849802147.124.212.1722195TCP
                2025-01-08T16:57:06.949050+010020365941Malware Command and Control Activity Detected192.168.2.849803147.124.212.1722195TCP
                2025-01-08T16:57:09.119459+010020365941Malware Command and Control Activity Detected192.168.2.849804147.124.212.1722195TCP
                2025-01-08T16:57:10.637915+010020365941Malware Command and Control Activity Detected192.168.2.849805147.124.212.1722195TCP
                2025-01-08T16:57:12.778085+010020365941Malware Command and Control Activity Detected192.168.2.849806147.124.212.1722195TCP
                2025-01-08T16:57:14.290399+010020365941Malware Command and Control Activity Detected192.168.2.849807147.124.212.1722195TCP
                2025-01-08T16:57:16.430169+010020365941Malware Command and Control Activity Detected192.168.2.849808147.124.212.1722195TCP
                2025-01-08T16:57:17.965103+010020365941Malware Command and Control Activity Detected192.168.2.849809147.124.212.1722195TCP
                2025-01-08T16:57:20.076812+010020365941Malware Command and Control Activity Detected192.168.2.849810147.124.212.1722195TCP
                2025-01-08T16:57:21.591474+010020365941Malware Command and Control Activity Detected192.168.2.849811147.124.212.1722195TCP
                2025-01-08T16:57:24.024214+010020365941Malware Command and Control Activity Detected192.168.2.849812147.124.212.1722195TCP
                2025-01-08T16:57:25.524388+010020365941Malware Command and Control Activity Detected192.168.2.849813147.124.212.1722195TCP
                2025-01-08T16:57:27.571632+010020365941Malware Command and Control Activity Detected192.168.2.849814147.124.212.1722195TCP
                2025-01-08T16:57:29.054961+010020365941Malware Command and Control Activity Detected192.168.2.849815147.124.212.1722195TCP
                2025-01-08T16:57:31.122172+010020365941Malware Command and Control Activity Detected192.168.2.849816147.124.212.1722195TCP
                2025-01-08T16:57:32.617836+010020365941Malware Command and Control Activity Detected192.168.2.849817147.124.212.1722195TCP
                2025-01-08T16:57:34.619436+010020365941Malware Command and Control Activity Detected192.168.2.849818147.124.212.1722195TCP
                2025-01-08T16:57:36.140048+010020365941Malware Command and Control Activity Detected192.168.2.849819147.124.212.1722195TCP
                2025-01-08T16:57:38.151090+010020365941Malware Command and Control Activity Detected192.168.2.849820147.124.212.1722195TCP
                2025-01-08T16:57:39.655668+010020365941Malware Command and Control Activity Detected192.168.2.849821147.124.212.1722195TCP
                2025-01-08T16:57:41.953040+010020365941Malware Command and Control Activity Detected192.168.2.849822147.124.212.1722195TCP
                2025-01-08T16:57:43.461949+010020365941Malware Command and Control Activity Detected192.168.2.849823147.124.212.1722195TCP
                2025-01-08T16:57:45.437055+010020365941Malware Command and Control Activity Detected192.168.2.849824147.124.212.1722195TCP
                2025-01-08T16:57:47.073041+010020365941Malware Command and Control Activity Detected192.168.2.849825147.124.212.1722195TCP
                2025-01-08T16:57:49.199116+010020365941Malware Command and Control Activity Detected192.168.2.849826147.124.212.1722195TCP
                2025-01-08T16:57:50.809966+010020365941Malware Command and Control Activity Detected192.168.2.849827147.124.212.1722195TCP
                2025-01-08T16:57:52.823188+010020365941Malware Command and Control Activity Detected192.168.2.849828147.124.212.1722195TCP
                2025-01-08T16:57:54.367797+010020365941Malware Command and Control Activity Detected192.168.2.849829147.124.212.1722195TCP
                2025-01-08T16:57:56.415546+010020365941Malware Command and Control Activity Detected192.168.2.849830147.124.212.1722195TCP
                2025-01-08T16:57:57.932828+010020365941Malware Command and Control Activity Detected192.168.2.849831147.124.212.1722195TCP
                2025-01-08T16:57:59.857061+010020365941Malware Command and Control Activity Detected192.168.2.849832147.124.212.1722195TCP
                2025-01-08T16:58:01.356007+010020365941Malware Command and Control Activity Detected192.168.2.849833147.124.212.1722195TCP
                2025-01-08T16:58:03.245285+010020365941Malware Command and Control Activity Detected192.168.2.849834147.124.212.1722195TCP
                2025-01-08T16:58:04.765049+010020365941Malware Command and Control Activity Detected192.168.2.849835147.124.212.1722195TCP
                2025-01-08T16:58:06.649697+010020365941Malware Command and Control Activity Detected192.168.2.849836147.124.212.1722195TCP
                2025-01-08T16:58:08.165372+010020365941Malware Command and Control Activity Detected192.168.2.849837147.124.212.1722195TCP
                2025-01-08T16:58:10.051373+010020365941Malware Command and Control Activity Detected192.168.2.849838147.124.212.1722195TCP
                2025-01-08T16:58:11.574708+010020365941Malware Command and Control Activity Detected192.168.2.849839147.124.212.1722195TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: teebro1800.dynamic-dns.netAvira URL Cloud: Label: malware
                Source: teewire.ydns.euAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["teebro1800.dynamic-dns.net:2195:1", "teewire.ydns.eu:2195:1"], "Assigned name": "06wire2025", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-E00CAV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeReversingLabs: Detection: 71%
                Multi AV Scanner detection for submitted file
                Source: Payment Swift CopyMT103.exeReversingLabs: Detection: 71%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.1457396479.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AASHNosznogz.exe PID: 7340, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Payment Swift CopyMT103.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_004315EC
                Source: Payment Swift CopyMT103.exe, 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_80979def-2
                Source: Payment Swift CopyMT103.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Payment Swift CopyMT103.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041A01B
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040B28E
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040838E
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004087A0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00407848
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004068CD FindFirstFileW,FindNextFileW,12_2_004068CD
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0044BA59 FindFirstFileExA,12_2_0044BA59
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040AA71
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00417AAB
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040AC78
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406D28

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49715 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49721 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49725 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49713 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49723 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49724 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49748 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49763 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49782 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49734 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49710 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49717 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49787 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49751 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49709 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49740 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49791 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49735 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49726 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49736 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49741 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49738 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49746 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49759 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49728 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49729 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49750 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49716 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49777 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49743 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49793 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49765 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49801 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49774 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49755 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49775 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49804 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49737 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49785 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49768 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49809 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49810 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49760 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49805 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49817 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49744 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49781 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49816 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49814 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49749 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49753 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49798 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49752 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49815 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49824 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49714 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49779 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49786 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49769 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49812 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49770 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49836 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49818 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49799 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49783 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49764 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49821 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49790 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49827 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49813 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49800 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49832 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49838 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49828 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49802 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49732 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49834 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49820 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49837 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49829 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49839 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49720 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49833 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49789 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49767 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49733 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49722 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49754 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49742 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49823 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49808 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49762 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49756 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49758 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49772 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49757 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49773 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49776 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49795 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49730 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49797 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49803 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49807 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49731 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49835 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49771 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49825 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49822 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49778 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49784 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49792 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49806 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49794 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49796 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49811 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49727 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49819 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49745 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49826 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49747 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49831 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49766 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49780 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49761 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49788 -> 147.124.212.172:2195
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49830 -> 147.124.212.172:2195
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: teebro1800.dynamic-dns.net
                Source: Malware configuration extractorURLs: teewire.ydns.eu
                Source: global trafficTCP traffic: 192.168.2.8:49709 -> 147.124.212.172:2195
                Source: Joe Sandbox ViewASN Name: AC-AS-1US AC-AS-1US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,12_2_0041936B
                Source: global trafficDNS traffic detected: DNS query: teebro1800.dynamic-dns.net
                Source: global trafficDNS traffic detected: DNS query: teewire.ydns.eu
                Source: AASHNosznogz.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: Payment Swift CopyMT103.exe, 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Payment Swift CopyMT103.exe, 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, AASHNosznogz.exe, 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: Payment Swift CopyMT103.exe, 00000000.00000002.1422848291.000000000302F000.00000004.00000800.00020000.00000000.sdmp, AASHNosznogz.exe, 00000008.00000002.1458876116.000000000288F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Payment Swift CopyMT103.exe, AASHNosznogz.exe.0.drString found in binary or memory: http://www.omdbapi.com/?t=)&y=&plot=long&r=json

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000012_2_00409340
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040A65A
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_00414EC1
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040A65A
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,12_2_00409468

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.1457396479.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AASHNosznogz.exe PID: 7340, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041A76C SystemParametersInfoW,12_2_0041A76C

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: AASHNosznogz.exe PID: 7340, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Payment Swift CopyMT103.exe
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_00414DB4
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_00FB5CC40_2_00FB5CC4
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_00FBE1240_2_00FBE124
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_00FB70920_2_00FB7092
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DD0BD40_2_02DD0BD4
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DD00D80_2_02DD00D8
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DD20F00_2_02DD20F0
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DD01300_2_02DD0130
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DD01220_2_02DD0122
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DDB6980_2_02DDB698
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DDB6880_2_02DDB688
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_02DDB65F0_2_02DDB65F
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_053B86640_2_053B8664
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_053BF1000_2_053BF100
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727E7700_2_0727E770
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727B6880_2_0727B688
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_07270CF80_2_07270CF8
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_072751FC0_2_072751FC
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_07270F600_2_07270F60
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727E7600_2_0727E760
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727AFA00_2_0727AFA0
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727AF910_2_0727AF91
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727B6780_2_0727B678
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_07276EE80_2_07276EE8
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727DBC00_2_0727DBC0
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_072751570_2_07275157
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_072751ED0_2_072751ED
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_00E65CC48_2_00E65CC4
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_00E6E1248_2_00E6E124
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_00E670928_2_00E67092
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADB6888_2_06ADB688
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADE7708_2_06ADE770
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AD0CF88_2_06AD0CF8
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AD51FC8_2_06AD51FC
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AD6EE88_2_06AD6EE8
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADB6788_2_06ADB678
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADAFA08_2_06ADAFA0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADAF918_2_06ADAF91
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AD0F608_2_06AD0F60
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADE7638_2_06ADE763
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADDBC08_2_06ADDBC0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AFD3488_2_06AFD348
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AF66008_2_06AF6600
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AF87A18_2_06AF87A1
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AF87B08_2_06AF87B0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AFF7C88_2_06AFF7C8
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AF61C88_2_06AF61C8
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AF7E008_2_06AF7E00
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AF5D908_2_06AF5D90
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AF7DF08_2_06AF7DF0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0042515212_2_00425152
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0043528612_2_00435286
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004513D412_2_004513D4
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0045050B12_2_0045050B
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0043651012_2_00436510
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004316FB12_2_004316FB
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0043569E12_2_0043569E
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0044370012_2_00443700
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004257FB12_2_004257FB
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004128E312_2_004128E3
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0042596412_2_00425964
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041B91712_2_0041B917
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0043D9CC12_2_0043D9CC
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00435AD312_2_00435AD3
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00424BC312_2_00424BC3
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0043DBFB12_2_0043DBFB
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0044ABA912_2_0044ABA9
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00433C0B12_2_00433C0B
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00434D8A12_2_00434D8A
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0043DE2A12_2_0043DE2A
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041CEAF12_2_0041CEAF
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00435F0812_2_00435F08
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: String function: 00402073 appears 51 times
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: String function: 00432B90 appears 53 times
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: String function: 00432525 appears 41 times
                Source: Payment Swift CopyMT103.exe, 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Swift CopyMT103.exe
                Source: Payment Swift CopyMT103.exe, 00000000.00000002.1429845347.0000000007280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Swift CopyMT103.exe
                Source: Payment Swift CopyMT103.exe, 00000000.00000002.1421351179.0000000000FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Swift CopyMT103.exe
                Source: Payment Swift CopyMT103.exe, 00000000.00000000.1394966799.0000000000982000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyoJh.exeD vs Payment Swift CopyMT103.exe
                Source: Payment Swift CopyMT103.exe, 00000000.00000002.1429290912.00000000071A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Payment Swift CopyMT103.exe
                Source: Payment Swift CopyMT103.exeBinary or memory string: OriginalFilenameyoJh.exeD vs Payment Swift CopyMT103.exe
                Source: Payment Swift CopyMT103.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: AASHNosznogz.exe PID: 7340, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Payment Swift CopyMT103.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: AASHNosznogz.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, qvExPqEDPHfeiK6UZ2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, qvExPqEDPHfeiK6UZ2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@16/11@9/1
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00415C90
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,12_2_0040E2E7
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_00419493
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00418A00
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeFile created: C:\Users\user\AppData\Roaming\AASHNosznogz.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-E00CAV
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC5F2.tmpJump to behavior
                Source: Payment Swift CopyMT103.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Payment Swift CopyMT103.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Payment Swift CopyMT103.exeReversingLabs: Detection: 71%
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeFile read: C:\Users\user\Desktop\Payment Swift CopyMT103.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Payment Swift CopyMT103.exe "C:\Users\user\Desktop\Payment Swift CopyMT103.exe"
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Users\user\Desktop\Payment Swift CopyMT103.exe "C:\Users\user\Desktop\Payment Swift CopyMT103.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\AASHNosznogz.exe C:\Users\user\AppData\Roaming\AASHNosznogz.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess created: C:\Users\user\AppData\Roaming\AASHNosznogz.exe "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Users\user\Desktop\Payment Swift CopyMT103.exe "C:\Users\user\Desktop\Payment Swift CopyMT103.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess created: C:\Users\user\AppData\Roaming\AASHNosznogz.exe "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Payment Swift CopyMT103.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Payment Swift CopyMT103.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.Payment Swift CopyMT103.exe.71a0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, vnAjaOk4Cgc8Sx5qPh.cs.Net Code: Lpct8oaSKS System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, vnAjaOk4Cgc8Sx5qPh.cs.Net Code: Lpct8oaSKS System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041A8DA
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeCode function: 0_2_0727B5B4 pushad ; retn 071Ch0_2_0727DFE1
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06ADB5B4 pushad ; retn 06A2h8_2_06ADDFE1
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_06AD6250 push es; ret 8_2_06AD6260
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 8_2_07015DC0 push BC052B8Dh; ret 8_2_07015E2D
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004000D8 push es; iretd 12_2_004000D9
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040008C push es; iretd 12_2_0040008D
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004542E6 push ecx; ret 12_2_004542F9
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0045B4FD push esi; ret 12_2_0045B506
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00432BD6 push ecx; ret 12_2_00432BE9
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00454C08 push eax; ret 12_2_00454C26
                Source: Payment Swift CopyMT103.exeStatic PE information: section name: .text entropy: 7.806256702988038
                Source: AASHNosznogz.exe.0.drStatic PE information: section name: .text entropy: 7.806256702988038
                Source: 0.2.Payment Swift CopyMT103.exe.71a0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.csHigh entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
                Source: 0.2.Payment Swift CopyMT103.exe.71a0000.3.raw.unpack, vH9V9oD7tIKkmfHnnj.csHigh entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, ydbdThPSmCDacj7PWO.csHigh entropy of concatenated method names: 'Tn0Oi5sBwx', 'eBuObvfxJv', 'L7hYxc72Es', 'tStYIPJBuB', 'XDeYf4aQBo', 'WxbYFAqMLN', 'YpLYGWb3Rr', 'qWCY6Y0pKM', 'TTPYnHAOM5', 'LOSYNhE4vM'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csHigh entropy of concatenated method names: 'REDld5giOv', 'GKolZ9I2Y2', 'aJBlCqOsQ0', 'kpclYZc7Wl', 'ydWlOeiNU5', 'ancl3DPu11', 'Bjily4FSXC', 'uHllkAuDVH', 'LDglmato9w', 'yGYlMucXQJ'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, vgPlGdv1YEsxHfLXZD.csHigh entropy of concatenated method names: 'v0LQgjkg53', 'VyXQB75cEX', 'MeBQxJIRu7', 'VeOQINXgeK', 'plfQflXNUd', 'lr7QFqxH0F', 'vriQGegXcW', 'ivsQ6CPdsd', 'mviQnV7iVN', 'lJ5QNlYPj0'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, nc0pxPtpihL6DG4RYa.csHigh entropy of concatenated method names: 'QCrHyvExPq', 'pPHHkfeiK6', 'cRKHMM5OHK', 'fOrHe4Rdbd', 'E7PHuWOFhL', 'S2YHDYs1CZ', 'Nlp4EnRwoUZqYjsrH3', 'NFL7ij9kU3dWJ1h22p', 'KyyHHJ1OOW', 'mTCHlQrMIR'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, NPCyGN2wRgSqyME1gc.csHigh entropy of concatenated method names: 'Jvv4ExHbQx', 'KJM4jeLwNf', 'Ceh4gF3LBS', 'iP94B4ln2h', 'Udg4IIhetV', 'FUY4f1esrC', 'wSb4GibvqY', 'F7l46tKviD', 'XeS4NpQA3T', 'Q2Q4Ja2RC4'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, yqsOcR6NpxEZgGI9bF.csHigh entropy of concatenated method names: 'H4UyrDKGld', 'JYqyQEeq1g', 'kjXyD5HvYZ', 'gFCayRhDUXwWYx9kAxM', 'BLdOIth1Go62u6a3dea', 'VAift4hcbyM7Os25iPD', 'GMx7iihFiA9GSqF8eWA'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, jfcIifHtoD9vlj84XZV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Gc6WQoijf6', 'T9NW1EMe9f', 'lLQW78ZfJC', 'AByWW70ECj', 'zSuWKH06CM', 'iImW5kul25', 'CG3Wci4jJ4'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, IMRhc1aXTHqq0tWibT.csHigh entropy of concatenated method names: 'yPsr0jAumE', 'RV1roPfY1A', 'lQasAKXQ8B', 'K39sHh2mR0', 'lDmrJ9fihl', 'DKsrhXTvDN', 'kiSr2ORXwT', 'ptsrTBsus4', 'SLYrpe8PXq', 'tFyrwuM72Z'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, u9i4RvHH2VKtNlAoKDj.csHigh entropy of concatenated method names: 'jEW1oDvOQT', 's7T1zQlq1Q', 'yVo7AHaxk7', 'iLl7HU0GWm', 'evA7UbCbSr', 'RQN7l9kvON', 'gGx7twjoE7', 'jiO7dgMUjS', 'JK57ZOhpJP', 'JER7CRRXQE'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, INQhqY95XHmfI5XTSX.csHigh entropy of concatenated method names: 'NZMQuon6ft', 'lAvQr6Vm2A', 'JC1QQ4M4kp', 'fKXQ7qxI6a', 'Sr2QKINb8D', 'YZkQcQjp13', 'Dispose', 'teqsZCjAN0', 'ec1sCpdFPI', 'ngUsYMNWQ7'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, X66olwTgGuHAqjGmyO.csHigh entropy of concatenated method names: 'zsWuNTrXyu', 'EmEuhp8v6A', 'T1auTBUH7R', 'HOnuprXefa', 'iQVuBwR3nV', 'C90ux3HydF', 'TE0uIHegZd', 'wF3ufFkpn4', 'DiGuFclIJG', 'wk8uGN2jxb'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, nAM361o0WfYYZyvh31.csHigh entropy of concatenated method names: 'CA51Yj4mqQ', 'rUc1OllKKC', 'CMF137frnE', 'BMo1yGV19g', 'Nbn1QeCybI', 'KhE1kVcgPS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, MXPIi8HABDcwcn0hS5s.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xl21JVmmN6', 'q5x1hrljIs', 'aNI12Rf85w', 'pVx1TopIli', 'yaa1pmTAYT', 'Nlf1wDI0K4', 'sEB1LYmCCA'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, CQ7wi1nuN3C1uQXeJZ.csHigh entropy of concatenated method names: 'R73yVP57fP', 'eVPyRDAy6D', 'Oyny8ENWNk', 'rvyyXphAQp', 'EiZyiw6Ila', 'GspyqhfOBR', 'KxAybALHxL', 'OLiyEEL1Eu', 'M8ByjBHyJB', 'rwPyPRVWKD'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, LUao0bGltxBkCjQXDJ.csHigh entropy of concatenated method names: 'FU1yZf5oQw', 'gEjyYswW44', 'afby3TF5bU', 'nIa3oBGR9f', 'rQ93zbi2wM', 'FoayAKg69Q', 'YgUyHEfeBs', 'f8OyUNY1eA', 'EIryliNqUE', 'atIyt35CtH'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, XNpwGyLafF52jB8UOe.csHigh entropy of concatenated method names: 'CvxrMrwX0P', 'p4preUapTo', 'ToString', 'zOarZAymra', 'O0GrCtckuK', 'cWLrYwlmJe', 'bsbrOgrpt0', 'CQ3r3swx9j', 'DDDryIv4xF', 'hvDrkRDgS5'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, Kt2JmWCSycOkhI7kgn.csHigh entropy of concatenated method names: 'Dispose', 'bmfHvI5XTS', 'f3LUBnvfWW', 'M82yJt29fF', 'AuUHoT8Of6', 'ULwHz6cEnC', 'ProcessDialogKey', 'LZKUAgPlGd', 'sYEUHsxHfL', 'AZDUUeAM36'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, KhLw2YgYs1CZaoLXBg.csHigh entropy of concatenated method names: 'iKJ3dwVxHa', 'zgJ3CZcPSE', 'vnt3OiaqCH', 'E0W3yJ3EIt', 'QDE3k2uqKN', 'ViIOSgVEck', 'O0QOaPqg25', 'E2pO9CL2aw', 'JilO0JWhIx', 'sPSOvPCoNJ'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, ijjtr8ztOC1K76B6Qj.csHigh entropy of concatenated method names: 'Vsy1q2gRFa', 'HGN1ENYleV', 'K6I1jVCdxu', 'DsF1gE99Rn', 'qGl1Bml8VY', 'RVm1IAUB66', 'aVU1fdHDxs', 'pEO1cZk3MI', 'WNU1VmjEd3', 'HDw1RRFtEX'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, qvExPqEDPHfeiK6UZ2.csHigh entropy of concatenated method names: 'PeKCTPBZX9', 'LsFCpV9oRD', 'vLQCwvlnmp', 'wl2CL7xs68', 'lRSCSRVlJ9', 'ortCaK90OQ', 'RfMC9pkP5s', 'qC2C05Bfss', 'zCKCv25VhT', 'UFqCoAYi4R'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, cbWkPUjRKM5OHKZOr4.csHigh entropy of concatenated method names: 'iuCYXlBYR7', 'mcSYqxlm1O', 'XatYECKPeX', 'eYmYj95KCy', 'AJ0YumFGqe', 'Y1vYD0EDPH', 'wWkYrIKNoi', 'CM2Ysm3kZ1', 'Bq9YQvsZpn', 'SnaY1k4chc'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, gUf9q3Uvh34JeRlfEZ.csHigh entropy of concatenated method names: 'TtW8PxEVO', 'L6eXllFWu', 'yeBqEv5kF', 'WfGbZShTv', 'Q9Qj1AlN0', 'ACJPW9sdw', 'mY90mTAd6jUTWFu2oy', 'd7Jt0W1XcoscBgaO0E', 'JstsNEW2g', 'dBB1MjFqe'
                Source: 0.2.Payment Swift CopyMT103.exe.7280000.4.raw.unpack, WxkUBMw92CVlNHcUWB.csHigh entropy of concatenated method names: 'ToString', 'H99DJtfhps', 'P0KDBTvKWx', 'ziRDxlMamL', 'mo4DIufbMS', 'ffrDfgQPjK', 'cCwDFIgw7i', 'xH2DG8Is4H', 'LMUD6YTF2S', 'fTADnp5Loe'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, ydbdThPSmCDacj7PWO.csHigh entropy of concatenated method names: 'Tn0Oi5sBwx', 'eBuObvfxJv', 'L7hYxc72Es', 'tStYIPJBuB', 'XDeYf4aQBo', 'WxbYFAqMLN', 'YpLYGWb3Rr', 'qWCY6Y0pKM', 'TTPYnHAOM5', 'LOSYNhE4vM'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, vnAjaOk4Cgc8Sx5qPh.csHigh entropy of concatenated method names: 'REDld5giOv', 'GKolZ9I2Y2', 'aJBlCqOsQ0', 'kpclYZc7Wl', 'ydWlOeiNU5', 'ancl3DPu11', 'Bjily4FSXC', 'uHllkAuDVH', 'LDglmato9w', 'yGYlMucXQJ'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, vgPlGdv1YEsxHfLXZD.csHigh entropy of concatenated method names: 'v0LQgjkg53', 'VyXQB75cEX', 'MeBQxJIRu7', 'VeOQINXgeK', 'plfQflXNUd', 'lr7QFqxH0F', 'vriQGegXcW', 'ivsQ6CPdsd', 'mviQnV7iVN', 'lJ5QNlYPj0'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, nc0pxPtpihL6DG4RYa.csHigh entropy of concatenated method names: 'QCrHyvExPq', 'pPHHkfeiK6', 'cRKHMM5OHK', 'fOrHe4Rdbd', 'E7PHuWOFhL', 'S2YHDYs1CZ', 'Nlp4EnRwoUZqYjsrH3', 'NFL7ij9kU3dWJ1h22p', 'KyyHHJ1OOW', 'mTCHlQrMIR'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, NPCyGN2wRgSqyME1gc.csHigh entropy of concatenated method names: 'Jvv4ExHbQx', 'KJM4jeLwNf', 'Ceh4gF3LBS', 'iP94B4ln2h', 'Udg4IIhetV', 'FUY4f1esrC', 'wSb4GibvqY', 'F7l46tKviD', 'XeS4NpQA3T', 'Q2Q4Ja2RC4'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, yqsOcR6NpxEZgGI9bF.csHigh entropy of concatenated method names: 'H4UyrDKGld', 'JYqyQEeq1g', 'kjXyD5HvYZ', 'gFCayRhDUXwWYx9kAxM', 'BLdOIth1Go62u6a3dea', 'VAift4hcbyM7Os25iPD', 'GMx7iihFiA9GSqF8eWA'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, jfcIifHtoD9vlj84XZV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Gc6WQoijf6', 'T9NW1EMe9f', 'lLQW78ZfJC', 'AByWW70ECj', 'zSuWKH06CM', 'iImW5kul25', 'CG3Wci4jJ4'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, IMRhc1aXTHqq0tWibT.csHigh entropy of concatenated method names: 'yPsr0jAumE', 'RV1roPfY1A', 'lQasAKXQ8B', 'K39sHh2mR0', 'lDmrJ9fihl', 'DKsrhXTvDN', 'kiSr2ORXwT', 'ptsrTBsus4', 'SLYrpe8PXq', 'tFyrwuM72Z'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, u9i4RvHH2VKtNlAoKDj.csHigh entropy of concatenated method names: 'jEW1oDvOQT', 's7T1zQlq1Q', 'yVo7AHaxk7', 'iLl7HU0GWm', 'evA7UbCbSr', 'RQN7l9kvON', 'gGx7twjoE7', 'jiO7dgMUjS', 'JK57ZOhpJP', 'JER7CRRXQE'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, INQhqY95XHmfI5XTSX.csHigh entropy of concatenated method names: 'NZMQuon6ft', 'lAvQr6Vm2A', 'JC1QQ4M4kp', 'fKXQ7qxI6a', 'Sr2QKINb8D', 'YZkQcQjp13', 'Dispose', 'teqsZCjAN0', 'ec1sCpdFPI', 'ngUsYMNWQ7'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, X66olwTgGuHAqjGmyO.csHigh entropy of concatenated method names: 'zsWuNTrXyu', 'EmEuhp8v6A', 'T1auTBUH7R', 'HOnuprXefa', 'iQVuBwR3nV', 'C90ux3HydF', 'TE0uIHegZd', 'wF3ufFkpn4', 'DiGuFclIJG', 'wk8uGN2jxb'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, nAM361o0WfYYZyvh31.csHigh entropy of concatenated method names: 'CA51Yj4mqQ', 'rUc1OllKKC', 'CMF137frnE', 'BMo1yGV19g', 'Nbn1QeCybI', 'KhE1kVcgPS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, MXPIi8HABDcwcn0hS5s.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xl21JVmmN6', 'q5x1hrljIs', 'aNI12Rf85w', 'pVx1TopIli', 'yaa1pmTAYT', 'Nlf1wDI0K4', 'sEB1LYmCCA'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, CQ7wi1nuN3C1uQXeJZ.csHigh entropy of concatenated method names: 'R73yVP57fP', 'eVPyRDAy6D', 'Oyny8ENWNk', 'rvyyXphAQp', 'EiZyiw6Ila', 'GspyqhfOBR', 'KxAybALHxL', 'OLiyEEL1Eu', 'M8ByjBHyJB', 'rwPyPRVWKD'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, LUao0bGltxBkCjQXDJ.csHigh entropy of concatenated method names: 'FU1yZf5oQw', 'gEjyYswW44', 'afby3TF5bU', 'nIa3oBGR9f', 'rQ93zbi2wM', 'FoayAKg69Q', 'YgUyHEfeBs', 'f8OyUNY1eA', 'EIryliNqUE', 'atIyt35CtH'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, XNpwGyLafF52jB8UOe.csHigh entropy of concatenated method names: 'CvxrMrwX0P', 'p4preUapTo', 'ToString', 'zOarZAymra', 'O0GrCtckuK', 'cWLrYwlmJe', 'bsbrOgrpt0', 'CQ3r3swx9j', 'DDDryIv4xF', 'hvDrkRDgS5'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, Kt2JmWCSycOkhI7kgn.csHigh entropy of concatenated method names: 'Dispose', 'bmfHvI5XTS', 'f3LUBnvfWW', 'M82yJt29fF', 'AuUHoT8Of6', 'ULwHz6cEnC', 'ProcessDialogKey', 'LZKUAgPlGd', 'sYEUHsxHfL', 'AZDUUeAM36'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, KhLw2YgYs1CZaoLXBg.csHigh entropy of concatenated method names: 'iKJ3dwVxHa', 'zgJ3CZcPSE', 'vnt3OiaqCH', 'E0W3yJ3EIt', 'QDE3k2uqKN', 'ViIOSgVEck', 'O0QOaPqg25', 'E2pO9CL2aw', 'JilO0JWhIx', 'sPSOvPCoNJ'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, ijjtr8ztOC1K76B6Qj.csHigh entropy of concatenated method names: 'Vsy1q2gRFa', 'HGN1ENYleV', 'K6I1jVCdxu', 'DsF1gE99Rn', 'qGl1Bml8VY', 'RVm1IAUB66', 'aVU1fdHDxs', 'pEO1cZk3MI', 'WNU1VmjEd3', 'HDw1RRFtEX'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, qvExPqEDPHfeiK6UZ2.csHigh entropy of concatenated method names: 'PeKCTPBZX9', 'LsFCpV9oRD', 'vLQCwvlnmp', 'wl2CL7xs68', 'lRSCSRVlJ9', 'ortCaK90OQ', 'RfMC9pkP5s', 'qC2C05Bfss', 'zCKCv25VhT', 'UFqCoAYi4R'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, cbWkPUjRKM5OHKZOr4.csHigh entropy of concatenated method names: 'iuCYXlBYR7', 'mcSYqxlm1O', 'XatYECKPeX', 'eYmYj95KCy', 'AJ0YumFGqe', 'Y1vYD0EDPH', 'wWkYrIKNoi', 'CM2Ysm3kZ1', 'Bq9YQvsZpn', 'SnaY1k4chc'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, gUf9q3Uvh34JeRlfEZ.csHigh entropy of concatenated method names: 'TtW8PxEVO', 'L6eXllFWu', 'yeBqEv5kF', 'WfGbZShTv', 'Q9Qj1AlN0', 'ACJPW9sdw', 'mY90mTAd6jUTWFu2oy', 'd7Jt0W1XcoscBgaO0E', 'JstsNEW2g', 'dBB1MjFqe'
                Source: 0.2.Payment Swift CopyMT103.exe.41bdba8.0.raw.unpack, WxkUBMw92CVlNHcUWB.csHigh entropy of concatenated method names: 'ToString', 'H99DJtfhps', 'P0KDBTvKWx', 'ziRDxlMamL', 'mo4DIufbMS', 'ffrDfgQPjK', 'cCwDFIgw7i', 'xH2DG8Is4H', 'LMUD6YTF2S', 'fTADnp5Loe'
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004063C6 ShellExecuteW,URLDownloadToFileW,12_2_004063C6
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeFile created: C:\Users\user\AppData\Roaming\AASHNosznogz.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp"
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00418A00

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041A8DA
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AASHNosznogz.exe PID: 7972, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040E18D Sleep,ExitProcess,12_2_0040E18D
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: FB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: 9590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: 8090000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: A590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: B590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory allocated: E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory allocated: 8B40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory allocated: 7680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory allocated: 9B40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory allocated: AB40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004186FE
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8041Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1520Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeWindow / User API: threadDelayed 4104Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeWindow / User API: threadDelayed 5850Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeAPI coverage: 5.2 %
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exe TID: 7592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exe TID: 7944Thread sleep count: 4104 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exe TID: 7944Thread sleep time: -12312000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exe TID: 7944Thread sleep count: 5850 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exe TID: 7944Thread sleep time: -17550000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exe TID: 8004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041A01B
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040B28E
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040838E
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004087A0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00407848
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004068CD FindFirstFileW,FindNextFileW,12_2_004068CD
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0044BA59 FindFirstFileExA,12_2_0044BA59
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040AA71
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00417AAB
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040AC78
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406D28
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: AASHNosznogz.exe, 00000008.00000002.1456954154.0000000000A5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: Payment Swift CopyMT103.exe, 00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004327AE
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041A8DA
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004407B5 mov eax, dword ptr fs:[00000030h]12_2_004407B5
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,12_2_00410763
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004327AE
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004328FC SetUnhandledExceptionFilter,12_2_004328FC
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004398AC
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00432D5C
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMemory written: C:\Users\user\AppData\Roaming\AASHNosznogz.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410B5C
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004175E1 mouse_event,12_2_004175E1
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeProcess created: C:\Users\user\Desktop\Payment Swift CopyMT103.exe "C:\Users\user\Desktop\Payment Swift CopyMT103.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeProcess created: C:\Users\user\AppData\Roaming\AASHNosznogz.exe "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004329DA cpuid 12_2_004329DA
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: EnumSystemLocalesW,12_2_0044F17B
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: EnumSystemLocalesW,12_2_0044F130
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: EnumSystemLocalesW,12_2_0044F216
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_0044F2A3
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetLocaleInfoA,12_2_0040E2BB
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetLocaleInfoW,12_2_0044F4F3
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_0044F61C
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetLocaleInfoW,12_2_0044F723
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_0044F7F0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: EnumSystemLocalesW,12_2_00445914
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: GetLocaleInfoW,12_2_00445E1C
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_0044EEB8
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeQueries volume information: C:\Users\user\Desktop\Payment Swift CopyMT103.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeQueries volume information: C:\Users\user\AppData\Roaming\AASHNosznogz.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_0040A0B0 GetLocalTime,wsprintfW,12_2_0040A0B0
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004195F8 GetUserNameW,12_2_004195F8
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: 12_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_004466BF
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.71a0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.71a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1429290912.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.1457396479.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AASHNosznogz.exe PID: 7340, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040A953
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040AA71
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: \key3.db12_2_0040AA71

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\Payment Swift CopyMT103.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-E00CAVJump to behavior
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-E00CAVJump to behavior
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.71a0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.71a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1429290912.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4b3e4c8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.AASHNosznogz.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Payment Swift CopyMT103.exe.4103f88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.1457396479.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Payment Swift CopyMT103.exe PID: 7912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AASHNosznogz.exe PID: 7340, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\AASHNosznogz.exeCode function: cmd.exe12_2_0040567A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Windows Service                		3
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook121
                Process Injection                		22
                Software Packing                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                Scheduled Task/Job                		1
                DLL Side-Loading                		LSA Secrets33
                System Information Discovery                		SSHKeylogging1
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials121
                Security Software Discovery                		VNCGUI Input Capture11
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt121
                Process Injection                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586045 Sample: Payment Swift CopyMT103.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 42 teewire.ydns.eu 2->42 44 teebro1800.dynamic-dns.net 2->44 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 16 other signatures 2->54 8 AASHNosznogz.exe 5 2->8         started        11 Payment Swift CopyMT103.exe 7 2->11         started        signatures3 process4 file5 56 Multi AV Scanner detection for dropped file 8->56 58 Contains functionalty to change the wallpaper 8->58 60 Machine Learning detection for dropped file 8->60 64 5 other signatures 8->64 14 AASHNosznogz.exe 8->14         started        17 schtasks.exe 1 8->17         started        34 C:\Users\user\AppData\...\AASHNosznogz.exe, PE32 11->34 dropped 36 C:\Users\...\AASHNosznogz.exe:Zone.Identifier, ASCII 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmpC5F2.tmp, XML 11->38 dropped 40 C:\Users\...\Payment Swift CopyMT103.exe.log, ASCII 11->40 dropped 62 Adds a directory exclusion to Windows Defender 11->62 19 Payment Swift CopyMT103.exe 2 11->19         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        signatures6 process7 dnsIp8 26 conhost.exe 17->26         started        46 teewire.ydns.eu 147.124.212.172, 2195, 49709, 49710 AC-AS-1US United States 19->46 66 Detected Remcos RAT 19->66 68 Loading BitLocker PowerShell Module 22->68 28 WmiPrvSE.exe 22->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Payment Swift CopyMT103.exe71%ReversingLabsWin32.Trojan.Remcos
                Payment Swift CopyMT103.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\AASHNosznogz.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\AASHNosznogz.exe71%ReversingLabsWin32.Trojan.Remcos

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                teebro1800.dynamic-dns.net100%Avira URL Cloudmalware
                teewire.ydns.eu100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                teebro1800.dynamic-dns.net
                		147.124.212.172
                		truetrue
                  		unknown
                  teewire.ydns.eu
                  		147.124.212.172
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    teebro1800.dynamic-dns.nettrue
                    • Avira URL Cloud: malware
                    		unknown
                    teewire.ydns.eutrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpAASHNosznogz.exefalse
                      		high
                      http://www.omdbapi.com/?t=)&y=&plot=long&r=jsonPayment Swift CopyMT103.exe, AASHNosznogz.exe.0.drfalse
                        		high
                        http://geoplugin.net/json.gp/CPayment Swift CopyMT103.exe, 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Payment Swift CopyMT103.exe, 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, AASHNosznogz.exe, 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Swift CopyMT103.exe, 00000000.00000002.1422848291.000000000302F000.00000004.00000800.00020000.00000000.sdmp, AASHNosznogz.exe, 00000008.00000002.1458876116.000000000288F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            147.124.212.172
                            		teebro1800.dynamic-dns.netUnited States
                            		1432AC-AS-1UStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1586045
                            Start date and time:2025-01-08 16:53:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 28s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:19
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Payment Swift CopyMT103.exe
                            Detection:MAL
                            Classification:mal100.rans.troj.spyw.evad.winEXE@16/11@9/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 85
                            • Number of non-executed functions: 194
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 23.56.254.164, 20.109.210.53
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: Payment Swift CopyMT103.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:54:03API Interceptor4600699x Sleep call for process: Payment Swift CopyMT103.exe modified
                            10:54:05API Interceptor12x Sleep call for process: powershell.exe modified
                            10:54:07API Interceptor1x Sleep call for process: AASHNosznogz.exe modified
                            16:54:05Task SchedulerRun new task: AASHNosznogz path: C:\Users\user\AppData\Roaming\AASHNosznogz.exe

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            teebro1800.dynamic-dns.netpayment receipt copy.bat.exeGet hashmaliciousRemcosBrowse
                            • 109.248.151.221
                            product sample requirement.exeGet hashmaliciousXWormBrowse
                            • 109.248.151.221
                            z1ProductSampleRequirement.exeGet hashmaliciousRemcosBrowse
                            • 51.75.166.98
                            HSBC Payment Swift Copy.exeGet hashmaliciousRemcosBrowse
                            • 140.228.29.6
                            teewire.ydns.euPO#83298373729383838392387373873PDF.exeGet hashmaliciousQuasarBrowse
                            • 208.70.254.118

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            AC-AS-1USCustomer.exeGet hashmaliciousXWormBrowse
                            • 147.124.210.158
                            ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            • 147.124.216.113
                            ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            • 147.124.216.113
                            PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            • 147.124.216.113
                            ppc.elfGet hashmaliciousUnknownBrowse
                            • 147.124.39.73
                            loligang.sh4.elfGet hashmaliciousMiraiBrowse
                            • 65.217.170.6
                            scheduledllama.exeGet hashmaliciousRedLineBrowse
                            • 147.124.222.241
                            i686.elfGet hashmaliciousUnknownBrowse
                            • 147.124.15.84
                            5r3fqt67ew531has4231.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                            • 147.124.15.46
                            lIocM276SA.exeGet hashmaliciousRemcos, Amadey, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                            • 147.124.221.201

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AASHNosznogz.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\AASHNosznogz.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Swift CopyMT103.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\Payment Swift CopyMT103.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2232
                            Entropy (8bit):5.379401388151058
                            Encrypted:false
                            SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:fLHxvIIwLgZ2KRHWLOugss
                            MD5:25321E5EF46D4B6586B432EDE14CDFB7
                            SHA1:7B04466E0869735444E88F5F99045A021E104D5B
                            SHA-256:D01CD798290DF4649DC4747E1130281BCB90400C1BABA2727D819D2626CCE70B
                            SHA-512:4C5A5AEBCCF0426B10C11CAC0E2B935030FE539EF3582BC6AE4CCF052A9A7C6C35F3B8409123F59BDC7F0C35ABB9B433A4FAFFA50F856197A0B4712C8283BD40
                            Malicious:false
                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4odpgplt.yfs.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgwslou1.uny.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lj5dcrxl.lrx.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq4b1nn1.h3m.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp

                            Download File
                            Process:C:\Users\user\Desktop\Payment Swift CopyMT103.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1585
                            Entropy (8bit):5.112212712293193
                            Encrypted:false
                            SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtIxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTov
                            MD5:4E8F5432DE4591C5ADB3805CCDAEE3DB
                            SHA1:28B121886FF4B528007655E476821C3C0503850F
                            SHA-256:16C4DAB4946A6D7BB0426AD96E0EF25F10BF4D7B9B9C623D5D10A8AA054EFB40
                            SHA-512:A3D691A40AC2F6F48EAA005B09351682E5BA0377E03BCBA7D6D1A903C78F6273F3DC95FBE52F6EC10EB3D94061C380BDB7B04DC7124D13B0276671417DD8CBFB
                            Malicious:true
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                            C:\Users\user\AppData\Local\Temp\tmpD65D.tmp

                            Download File
                            Process:C:\Users\user\AppData\Roaming\AASHNosznogz.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1585
                            Entropy (8bit):5.112212712293193
                            Encrypted:false
                            SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtIxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTov
                            MD5:4E8F5432DE4591C5ADB3805CCDAEE3DB
                            SHA1:28B121886FF4B528007655E476821C3C0503850F
                            SHA-256:16C4DAB4946A6D7BB0426AD96E0EF25F10BF4D7B9B9C623D5D10A8AA054EFB40
                            SHA-512:A3D691A40AC2F6F48EAA005B09351682E5BA0377E03BCBA7D6D1A903C78F6273F3DC95FBE52F6EC10EB3D94061C380BDB7B04DC7124D13B0276671417DD8CBFB
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                            C:\Users\user\AppData\Roaming\AASHNosznogz.exe

                            Download File
                            Process:C:\Users\user\Desktop\Payment Swift CopyMT103.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):995840
                            Entropy (8bit):7.800365483034683
                            Encrypted:false
                            SSDEEP:12288:bnE1cUoV+I4MVKWb0GbmEI3PZbOrYQ3EFHOIj03GtW1wOejvgwb372hFeABqzgXB:bnEuRgoefMsEEFHOmSasSz8qaD
                            MD5:BED1442A4F50A01CA78BAFFD48313104
                            SHA1:4920449AE36EC9F4954A60291793639A7F53223E
                            SHA-256:24777F80F39FBA9DA6A66BB0804BD3C3A510126F583EEFB8918E24FA5FDEB69B
                            SHA-512:1435099AAD068A175B61B3E9333263656EEA61CA5F541C836AA780B7B6072BC681DB815638F354C2B0FA3E1411756C0C7038F55990AC8EEABB4B1D1A354C16F4
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 71%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...QO{g..............0.............j8... ...@....@.. ....................................@..................................8..O....@..4....................`....................................................... ............... ..H............text...p.... ...................... ..`.rsrc...4....@......................@..@.reloc.......`.......0..............@..B................L8......H........q...P..........P....u............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*^..}.....(.......(.....*.0............{....o....r...p(....,E.{....o....r...p(....,..{....o....r...p(....,..{....o....r...p(....+....,T...{....o....(.......{....o....(.......{....o....(.......{....o....(.......(......+..r...p(....&.*.0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}.....s....

                            C:\Users\user\AppData\Roaming\AASHNosznogz.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\Payment Swift CopyMT103.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.800365483034683
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Payment Swift CopyMT103.exe
                            File size:995'840 bytes
                            MD5:bed1442a4f50a01ca78baffd48313104
                            SHA1:4920449ae36ec9f4954a60291793639a7f53223e
                            SHA256:24777f80f39fba9da6a66bb0804bd3c3a510126f583eefb8918e24fa5fdeb69b
                            SHA512:1435099aad068a175b61b3e9333263656eea61ca5f541c836aa780b7b6072bc681db815638f354c2b0fa3e1411756c0c7038f55990ac8eeabb4b1d1a354c16f4
                            SSDEEP:12288:bnE1cUoV+I4MVKWb0GbmEI3PZbOrYQ3EFHOIj03GtW1wOejvgwb372hFeABqzgXB:bnEuRgoefMsEEFHOmSasSz8qaD
                            TLSH:852502942355EA02E5734BF11971E3F9037A9E8DA521E3078FFEBDEB39287019D14682
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...QO{g..............0.............j8... ...@....@.. ....................................@................................

                            File Icon

                            Icon Hash:a3655757150102e0

                            Static PE Info

                            General

                            Entrypoint:0x4f386a
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x677B4F51 [Mon Jan 6 03:34:41 2025 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf38180x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x1334.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xf18700xf1a00c600037439a05c4a8c23b779a260d3d3False0.9216729177444387data7.806256702988038IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xf40000x13340x14009e93c0caaf458036d26f75010dbd6c5cFalse0.74296875data6.704882520490661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xf60000xc0x2004705a5e66d975367bfc305d2087e5572False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xf40c80xf07PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8736677930855212
                            RT_GROUP_ICON0xf4fe00x14data1.05
                            RT_VERSION0xf50040x32cdata0.4273399014778325

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-01-08T16:54:07.958005+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849709147.124.212.1722195TCP
                            2025-01-08T16:54:09.678969+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849710147.124.212.1722195TCP
                            2025-01-08T16:54:12.226350+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849713147.124.212.1722195TCP
                            2025-01-08T16:54:13.772660+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849714147.124.212.1722195TCP
                            2025-01-08T16:54:16.478783+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849715147.124.212.1722195TCP
                            2025-01-08T16:54:18.114715+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849716147.124.212.1722195TCP
                            2025-01-08T16:54:20.651343+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849717147.124.212.1722195TCP
                            2025-01-08T16:54:22.166505+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849720147.124.212.1722195TCP
                            2025-01-08T16:54:24.711004+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849721147.124.212.1722195TCP
                            2025-01-08T16:54:26.212376+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849722147.124.212.1722195TCP
                            2025-01-08T16:54:28.837950+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849723147.124.212.1722195TCP
                            2025-01-08T16:54:30.379694+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849724147.124.212.1722195TCP
                            2025-01-08T16:54:32.896087+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849725147.124.212.1722195TCP
                            2025-01-08T16:54:34.399739+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849726147.124.212.1722195TCP
                            2025-01-08T16:54:36.896953+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849727147.124.212.1722195TCP
                            2025-01-08T16:54:38.380028+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849728147.124.212.1722195TCP
                            2025-01-08T16:54:41.070235+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849729147.124.212.1722195TCP
                            2025-01-08T16:54:42.583220+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849730147.124.212.1722195TCP
                            2025-01-08T16:54:45.123012+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849731147.124.212.1722195TCP
                            2025-01-08T16:54:46.632266+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849732147.124.212.1722195TCP
                            2025-01-08T16:54:49.130999+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849733147.124.212.1722195TCP
                            2025-01-08T16:54:50.630818+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849734147.124.212.1722195TCP
                            2025-01-08T16:54:53.132005+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849735147.124.212.1722195TCP
                            2025-01-08T16:54:54.630874+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849736147.124.212.1722195TCP
                            2025-01-08T16:54:57.146261+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849737147.124.212.1722195TCP
                            2025-01-08T16:54:58.646111+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849738147.124.212.1722195TCP
                            2025-01-08T16:55:01.193409+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849740147.124.212.1722195TCP
                            2025-01-08T16:55:02.677218+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849741147.124.212.1722195TCP
                            2025-01-08T16:55:05.227966+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849742147.124.212.1722195TCP
                            2025-01-08T16:55:06.792701+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849743147.124.212.1722195TCP
                            2025-01-08T16:55:09.306270+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849744147.124.212.1722195TCP
                            2025-01-08T16:55:10.822967+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849745147.124.212.1722195TCP
                            2025-01-08T16:55:13.428226+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849746147.124.212.1722195TCP
                            2025-01-08T16:55:14.928086+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849747147.124.212.1722195TCP
                            2025-01-08T16:55:17.429729+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849748147.124.212.1722195TCP
                            2025-01-08T16:55:18.928259+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849749147.124.212.1722195TCP
                            2025-01-08T16:55:21.431011+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849750147.124.212.1722195TCP
                            2025-01-08T16:55:22.929093+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849751147.124.212.1722195TCP
                            2025-01-08T16:55:25.431237+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849752147.124.212.1722195TCP
                            2025-01-08T16:55:26.930990+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849753147.124.212.1722195TCP
                            2025-01-08T16:55:29.428980+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849754147.124.212.1722195TCP
                            2025-01-08T16:55:30.949004+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849755147.124.212.1722195TCP
                            2025-01-08T16:55:33.463269+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849756147.124.212.1722195TCP
                            2025-01-08T16:55:34.959627+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849757147.124.212.1722195TCP
                            2025-01-08T16:55:37.547012+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849758147.124.212.1722195TCP
                            2025-01-08T16:55:39.060999+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849759147.124.212.1722195TCP
                            2025-01-08T16:55:41.569640+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849760147.124.212.1722195TCP
                            2025-01-08T16:55:43.075060+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849761147.124.212.1722195TCP
                            2025-01-08T16:55:45.760941+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849762147.124.212.1722195TCP
                            2025-01-08T16:55:47.256445+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849763147.124.212.1722195TCP
                            2025-01-08T16:55:49.760988+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849764147.124.212.1722195TCP
                            2025-01-08T16:55:51.290039+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849765147.124.212.1722195TCP
                            2025-01-08T16:55:53.805704+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849766147.124.212.1722195TCP
                            2025-01-08T16:55:55.325020+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849767147.124.212.1722195TCP
                            2025-01-08T16:55:57.901032+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849768147.124.212.1722195TCP
                            2025-01-08T16:55:59.414141+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849769147.124.212.1722195TCP
                            2025-01-08T16:56:01.932713+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849770147.124.212.1722195TCP
                            2025-01-08T16:56:03.480999+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849771147.124.212.1722195TCP
                            2025-01-08T16:56:05.995029+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849772147.124.212.1722195TCP
                            2025-01-08T16:56:07.512998+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849773147.124.212.1722195TCP
                            2025-01-08T16:56:10.040366+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849774147.124.212.1722195TCP
                            2025-01-08T16:56:11.554844+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849775147.124.212.1722195TCP
                            2025-01-08T16:56:14.093963+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849776147.124.212.1722195TCP
                            2025-01-08T16:56:15.587152+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849777147.124.212.1722195TCP
                            2025-01-08T16:56:18.485041+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849778147.124.212.1722195TCP
                            2025-01-08T16:56:20.094251+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849779147.124.212.1722195TCP
                            2025-01-08T16:56:22.605024+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849780147.124.212.1722195TCP
                            2025-01-08T16:56:24.215995+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849781147.124.212.1722195TCP
                            2025-01-08T16:56:26.667563+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849782147.124.212.1722195TCP
                            2025-01-08T16:56:28.165057+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849783147.124.212.1722195TCP
                            2025-01-08T16:56:30.619328+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849784147.124.212.1722195TCP
                            2025-01-08T16:56:32.158610+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849785147.124.212.1722195TCP
                            2025-01-08T16:56:34.538689+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849786147.124.212.1722195TCP
                            2025-01-08T16:56:36.075634+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849787147.124.212.1722195TCP
                            2025-01-08T16:56:38.414494+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849788147.124.212.1722195TCP
                            2025-01-08T16:56:39.914469+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849789147.124.212.1722195TCP
                            2025-01-08T16:56:42.261448+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849790147.124.212.1722195TCP
                            2025-01-08T16:56:43.775249+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849791147.124.212.1722195TCP
                            2025-01-08T16:56:46.089585+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849792147.124.212.1722195TCP
                            2025-01-08T16:56:47.606794+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849793147.124.212.1722195TCP
                            2025-01-08T16:56:50.479071+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849794147.124.212.1722195TCP
                            2025-01-08T16:56:51.993155+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849795147.124.212.1722195TCP
                            2025-01-08T16:56:54.245003+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849796147.124.212.1722195TCP
                            2025-01-08T16:56:55.759188+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849797147.124.212.1722195TCP
                            2025-01-08T16:56:58.007506+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849798147.124.212.1722195TCP
                            2025-01-08T16:56:59.511143+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849799147.124.212.1722195TCP
                            2025-01-08T16:57:01.745196+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849800147.124.212.1722195TCP
                            2025-01-08T16:57:03.246273+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849801147.124.212.1722195TCP
                            2025-01-08T16:57:05.433098+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849802147.124.212.1722195TCP
                            2025-01-08T16:57:06.949050+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849803147.124.212.1722195TCP
                            2025-01-08T16:57:09.119459+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849804147.124.212.1722195TCP
                            2025-01-08T16:57:10.637915+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849805147.124.212.1722195TCP
                            2025-01-08T16:57:12.778085+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849806147.124.212.1722195TCP
                            2025-01-08T16:57:14.290399+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849807147.124.212.1722195TCP
                            2025-01-08T16:57:16.430169+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849808147.124.212.1722195TCP
                            2025-01-08T16:57:17.965103+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849809147.124.212.1722195TCP
                            2025-01-08T16:57:20.076812+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849810147.124.212.1722195TCP
                            2025-01-08T16:57:21.591474+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849811147.124.212.1722195TCP
                            2025-01-08T16:57:24.024214+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849812147.124.212.1722195TCP
                            2025-01-08T16:57:25.524388+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849813147.124.212.1722195TCP
                            2025-01-08T16:57:27.571632+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849814147.124.212.1722195TCP
                            2025-01-08T16:57:29.054961+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849815147.124.212.1722195TCP
                            2025-01-08T16:57:31.122172+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849816147.124.212.1722195TCP
                            2025-01-08T16:57:32.617836+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849817147.124.212.1722195TCP
                            2025-01-08T16:57:34.619436+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849818147.124.212.1722195TCP
                            2025-01-08T16:57:36.140048+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849819147.124.212.1722195TCP
                            2025-01-08T16:57:38.151090+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849820147.124.212.1722195TCP
                            2025-01-08T16:57:39.655668+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849821147.124.212.1722195TCP
                            2025-01-08T16:57:41.953040+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849822147.124.212.1722195TCP
                            2025-01-08T16:57:43.461949+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849823147.124.212.1722195TCP
                            2025-01-08T16:57:45.437055+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849824147.124.212.1722195TCP
                            2025-01-08T16:57:47.073041+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849825147.124.212.1722195TCP
                            2025-01-08T16:57:49.199116+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849826147.124.212.1722195TCP
                            2025-01-08T16:57:50.809966+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849827147.124.212.1722195TCP
                            2025-01-08T16:57:52.823188+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849828147.124.212.1722195TCP
                            2025-01-08T16:57:54.367797+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849829147.124.212.1722195TCP
                            2025-01-08T16:57:56.415546+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849830147.124.212.1722195TCP
                            2025-01-08T16:57:57.932828+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849831147.124.212.1722195TCP
                            2025-01-08T16:57:59.857061+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849832147.124.212.1722195TCP
                            2025-01-08T16:58:01.356007+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849833147.124.212.1722195TCP
                            2025-01-08T16:58:03.245285+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849834147.124.212.1722195TCP
                            2025-01-08T16:58:04.765049+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849835147.124.212.1722195TCP
                            2025-01-08T16:58:06.649697+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849836147.124.212.1722195TCP
                            2025-01-08T16:58:08.165372+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849837147.124.212.1722195TCP
                            2025-01-08T16:58:10.051373+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849838147.124.212.1722195TCP
                            2025-01-08T16:58:11.574708+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849839147.124.212.1722195TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 8, 2025 16:54:06.435498953 CET497092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:06.440347910 CET219549709147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:06.440403938 CET497092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:06.446372032 CET497092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:06.451169968 CET219549709147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:07.957921982 CET219549709147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:07.958004951 CET497092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:07.981878996 CET497092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:07.986666918 CET219549709147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:08.010425091 CET497102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:08.015237093 CET219549710147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:08.015306950 CET497102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:08.059034109 CET497102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:08.063846111 CET219549710147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:09.678906918 CET219549710147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:09.678968906 CET497102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:09.679053068 CET497102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:09.685302019 CET219549710147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:10.688934088 CET497132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:10.693861008 CET219549713147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:10.693985939 CET497132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:10.698193073 CET497132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:10.702991962 CET219549713147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:12.226289034 CET219549713147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:12.226350069 CET497132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:12.226435900 CET497132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:12.227365017 CET497142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:12.231223106 CET219549713147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:12.232146978 CET219549714147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:12.232223034 CET497142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:12.235842943 CET497142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:12.240731955 CET219549714147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:13.772475958 CET219549714147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:13.772660017 CET497142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:13.773169994 CET497142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:13.777939081 CET219549714147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:14.970335960 CET497152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:14.975182056 CET219549715147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:14.975310087 CET497152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:14.978920937 CET497152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:14.983726978 CET219549715147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:16.478710890 CET219549715147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:16.478782892 CET497152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:16.478851080 CET497152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:16.480222940 CET497162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:16.483578920 CET219549715147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:16.485050917 CET219549716147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:16.485117912 CET497162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:16.489089012 CET497162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:16.493869066 CET219549716147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:18.114646912 CET219549716147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:18.114715099 CET497162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:18.114797115 CET497162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:18.119524956 CET219549716147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:19.126787901 CET497172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:19.131711960 CET219549717147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:19.131798983 CET497172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:19.135278940 CET497172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:19.140467882 CET219549717147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:20.651278019 CET219549717147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:20.651343107 CET497172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:20.651423931 CET497172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:20.652496099 CET497202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:20.656167030 CET219549717147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:20.657313108 CET219549720147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:20.657378912 CET497202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:20.661130905 CET497202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:20.665924072 CET219549720147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:22.166261911 CET219549720147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:22.166505098 CET497202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:22.166651011 CET497202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:22.171468973 CET219549720147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:23.175524950 CET497212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:23.180403948 CET219549721147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:23.180541992 CET497212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:23.189182043 CET497212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:23.194005966 CET219549721147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:24.710930109 CET219549721147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:24.711004019 CET497212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:24.711066961 CET497212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:24.712342978 CET497222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:24.715848923 CET219549721147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:24.717132092 CET219549722147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:24.717211008 CET497222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:24.720794916 CET497222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:24.725598097 CET219549722147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:26.212254047 CET219549722147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:26.212376118 CET497222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:26.212533951 CET497222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:26.217284918 CET219549722147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:27.220525026 CET497232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:27.225330114 CET219549723147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:27.225451946 CET497232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:27.229142904 CET497232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:27.233915091 CET219549723147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:28.837897062 CET219549723147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:28.837949991 CET497232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:28.838042021 CET497232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:28.839179993 CET497242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:28.842772007 CET219549723147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:28.843974113 CET219549724147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:28.844034910 CET497242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:28.847861052 CET497242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:28.852675915 CET219549724147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:30.379597902 CET219549724147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:30.379693985 CET497242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:30.379774094 CET497242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:30.384501934 CET219549724147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:31.392379999 CET497252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:31.397283077 CET219549725147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:31.397413015 CET497252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:31.401098013 CET497252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:31.405986071 CET219549725147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:32.896020889 CET219549725147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:32.896086931 CET497252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:32.896172047 CET497252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:32.897352934 CET497262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:32.900919914 CET219549725147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:32.902205944 CET219549726147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:32.902272940 CET497262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:32.906142950 CET497262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:32.910913944 CET219549726147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:34.399640083 CET219549726147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:34.399739027 CET497262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:34.399822950 CET497262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:34.404642105 CET219549726147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:35.407607079 CET497272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:35.412426949 CET219549727147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:35.412628889 CET497272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:35.416505098 CET497272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:35.421375036 CET219549727147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:36.896823883 CET219549727147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:36.896953106 CET497272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:36.897321939 CET497272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:36.898726940 CET497282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:36.902110100 CET219549727147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:36.903527975 CET219549728147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:36.903646946 CET497282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:36.907285929 CET497282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:36.912049055 CET219549728147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:38.379905939 CET219549728147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:38.380028009 CET497282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:38.380117893 CET497282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:38.384839058 CET219549728147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:39.506843090 CET497292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:39.511704922 CET219549729147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:39.511826992 CET497292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:39.515554905 CET497292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:39.520431995 CET219549729147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:41.070132971 CET219549729147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:41.070235014 CET497292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:41.070308924 CET497292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:41.071286917 CET497302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:41.075084925 CET219549729147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:41.076045036 CET219549730147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:41.076116085 CET497302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:41.079994917 CET497302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:41.084748030 CET219549730147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:42.583079100 CET219549730147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:42.583220005 CET497302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:42.583277941 CET497302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:42.588530064 CET219549730147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:43.595943928 CET497312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:43.600884914 CET219549731147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:43.600964069 CET497312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:43.604681969 CET497312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:43.609467983 CET219549731147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:45.120412111 CET219549731147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:45.123012066 CET497312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:45.123094082 CET497312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:45.124012947 CET497322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:45.127868891 CET219549731147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:45.128779888 CET219549732147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:45.128892899 CET497322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:45.132577896 CET497322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:45.137927055 CET219549732147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:46.632142067 CET219549732147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:46.632266045 CET497322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:46.632368088 CET497322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:46.637103081 CET219549732147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:47.642057896 CET497332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:47.646883011 CET219549733147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:47.646958113 CET497332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:47.650847912 CET497332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:47.655656099 CET219549733147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:49.130928993 CET219549733147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:49.130999088 CET497332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:49.131114006 CET497332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:49.134104967 CET497342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:49.136318922 CET219549733147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:49.138919115 CET219549734147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:49.139028072 CET497342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:49.143523932 CET497342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:49.148287058 CET219549734147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:50.630759954 CET219549734147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:50.630817890 CET497342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:50.630918980 CET497342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:50.635689974 CET219549734147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:51.642075062 CET497352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:51.646888971 CET219549735147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:51.646960974 CET497352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:51.650902987 CET497352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:51.655658007 CET219549735147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:53.131902933 CET219549735147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:53.132004976 CET497352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:53.132311106 CET497352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:53.137054920 CET219549735147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:53.143233061 CET497362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:53.148030996 CET219549736147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:53.148106098 CET497362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:53.170814991 CET497362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:53.175554037 CET219549736147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:54.630708933 CET219549736147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:54.630873919 CET497362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:54.630938053 CET497362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:54.635736942 CET219549736147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:55.650832891 CET497372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:55.655675888 CET219549737147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:55.655766964 CET497372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:55.686966896 CET497372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:55.691749096 CET219549737147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:57.146125078 CET219549737147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:57.146260977 CET497372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:57.151453972 CET497372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:57.152498960 CET497382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:57.156250954 CET219549737147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:57.157330036 CET219549738147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:57.157439947 CET497382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:57.161046982 CET497382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:57.165817022 CET219549738147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:58.646023989 CET219549738147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:58.646111012 CET497382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:58.659106016 CET497382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:58.663872957 CET219549738147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:59.704543114 CET497402195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:59.709429026 CET219549740147.124.212.172192.168.2.8
                            Jan 8, 2025 16:54:59.709498882 CET497402195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:59.713164091 CET497402195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:54:59.717981100 CET219549740147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:01.193339109 CET219549740147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:01.193408966 CET497402195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:01.193511009 CET497402195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:01.194518089 CET497412195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:01.198250055 CET219549740147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:01.199327946 CET219549741147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:01.199420929 CET497412195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:01.202805042 CET497412195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:01.207607985 CET219549741147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:02.677128077 CET219549741147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:02.677217960 CET497412195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:02.677304029 CET497412195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:02.682071924 CET219549741147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:03.691607952 CET497422195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:03.696439028 CET219549742147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:03.696508884 CET497422195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:03.700228930 CET497422195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:03.705053091 CET219549742147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:05.227840900 CET219549742147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:05.227966070 CET497422195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:05.228060007 CET497422195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:05.229027987 CET497432195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:05.232842922 CET219549742147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:05.233824015 CET219549743147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:05.233932972 CET497432195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:05.238311052 CET497432195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:05.243084908 CET219549743147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:06.792615891 CET219549743147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:06.792701006 CET497432195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:06.792804003 CET497432195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:06.797590971 CET219549743147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:07.799093962 CET497442195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:07.803960085 CET219549744147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:07.804079056 CET497442195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:07.807636023 CET497442195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:07.812397957 CET219549744147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:09.306137085 CET219549744147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:09.306269884 CET497442195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:09.307508945 CET497442195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:09.312552929 CET219549744147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:09.319331884 CET497452195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:09.324208021 CET219549745147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:09.324299097 CET497452195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:09.357570887 CET497452195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:09.362402916 CET219549745147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:10.821932077 CET219549745147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:10.822967052 CET497452195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:10.823007107 CET497452195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:10.827821016 CET219549745147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:11.943165064 CET497462195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:11.948024988 CET219549746147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:11.948352098 CET497462195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:11.951759100 CET497462195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:11.956567049 CET219549746147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:13.428137064 CET219549746147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:13.428225994 CET497462195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:13.428265095 CET497462195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:13.429275990 CET497472195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:13.433043003 CET219549746147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:13.434103966 CET219549747147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:13.434175014 CET497472195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:13.437423944 CET497472195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:13.442193985 CET219549747147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:14.927999973 CET219549747147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:14.928086042 CET497472195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:14.928152084 CET497472195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:14.933037043 CET219549747147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:15.938803911 CET497482195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:15.943773985 CET219549748147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:15.943851948 CET497482195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:15.947472095 CET497482195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:15.952234983 CET219549748147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:17.429481030 CET219549748147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:17.429728985 CET497482195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:17.429790020 CET497482195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:17.430672884 CET497492195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:17.434592962 CET219549748147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:17.435452938 CET219549749147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:17.435549974 CET497492195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:17.439100981 CET497492195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:17.443850994 CET219549749147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:18.928183079 CET219549749147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:18.928258896 CET497492195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:18.928333044 CET497492195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:18.933057070 CET219549749147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:19.939070940 CET497502195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:19.943934917 CET219549750147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:19.944119930 CET497502195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:19.948827028 CET497502195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:19.953573942 CET219549750147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:21.430250883 CET219549750147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:21.431010962 CET497502195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:21.431046963 CET497502195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:21.431885958 CET497512195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:21.436897039 CET219549750147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:21.438038111 CET219549751147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:21.438178062 CET497512195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:21.441519022 CET497512195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:21.446289062 CET219549751147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:22.927654028 CET219549751147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:22.929092884 CET497512195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:22.929092884 CET497512195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:22.933861017 CET219549751147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:23.939122915 CET497522195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:23.944125891 CET219549752147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:23.944199085 CET497522195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:23.949310064 CET497522195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:23.954124928 CET219549752147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:25.428088903 CET219549752147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:25.431236982 CET497522195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:25.431284904 CET497522195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:25.432167053 CET497532195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:25.436125994 CET219549752147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:25.436980963 CET219549753147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:25.437078953 CET497532195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:25.440953970 CET497532195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:25.445750952 CET219549753147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:26.930102110 CET219549753147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:26.930989981 CET497532195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:26.931034088 CET497532195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:26.935921907 CET219549753147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:27.939541101 CET497542195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:27.944570065 CET219549754147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:27.944658041 CET497542195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:27.948220968 CET497542195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:27.952970982 CET219549754147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:29.428042889 CET219549754147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:29.428980112 CET497542195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:29.429105997 CET497542195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:29.430505037 CET497552195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:29.433912992 CET219549754147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:29.435383081 CET219549755147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:29.441024065 CET497552195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:29.444484949 CET497552195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:29.449280977 CET219549755147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:30.947103977 CET219549755147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:30.949003935 CET497552195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:30.949064970 CET497552195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:30.953841925 CET219549755147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:31.954483032 CET497562195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:31.959491968 CET219549756147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:31.960962057 CET497562195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:31.964368105 CET497562195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:31.969119072 CET219549756147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:33.463185072 CET219549756147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:33.463268995 CET497562195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:33.463305950 CET497562195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:33.464026928 CET497572195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:33.468125105 CET219549756147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:33.468867064 CET219549757147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:33.468936920 CET497572195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:33.472625017 CET497572195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:33.477375984 CET219549757147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:34.959567070 CET219549757147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:34.959626913 CET497572195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:34.959675074 CET497572195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:34.964498997 CET219549757147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:35.970052004 CET497582195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:35.975017071 CET219549758147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:35.976959944 CET497582195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:35.980346918 CET497582195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:35.985193014 CET219549758147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:37.545557976 CET219549758147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:37.547012091 CET497582195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:37.547049999 CET497582195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:37.548008919 CET497592195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:37.551824093 CET219549758147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:37.552778959 CET219549759147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:37.552864075 CET497592195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:37.556216002 CET497592195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:37.560996056 CET219549759147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:39.058752060 CET219549759147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:39.060998917 CET497592195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:39.061057091 CET497592195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:39.065814018 CET219549759147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:40.064364910 CET497602195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:40.069401979 CET219549760147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:40.069475889 CET497602195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:40.074650049 CET497602195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:40.079412937 CET219549760147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:41.569571018 CET219549760147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:41.569639921 CET497602195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:41.569688082 CET497602195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:41.570419073 CET497612195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:41.574491024 CET219549760147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:41.575186968 CET219549761147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:41.575253963 CET497612195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:41.579929113 CET497612195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:41.584666967 CET219549761147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:43.074404001 CET219549761147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:43.075059891 CET497612195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:43.075113058 CET497612195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:43.080133915 CET219549761147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:44.221111059 CET497622195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:44.225946903 CET219549762147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:44.226059914 CET497622195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:44.241370916 CET497622195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:44.246257067 CET219549762147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:45.760855913 CET219549762147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:45.760941029 CET497622195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:45.761058092 CET497622195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:45.762304068 CET497632195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:45.765809059 CET219549762147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:45.767106056 CET219549763147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:45.767169952 CET497632195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:45.772947073 CET497632195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:45.777725935 CET219549763147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:47.256364107 CET219549763147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:47.256444931 CET497632195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:47.258682966 CET497632195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:47.263468981 CET219549763147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:48.267323017 CET497642195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:48.272198915 CET219549764147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:48.272283077 CET497642195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:48.276974916 CET497642195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:48.281757116 CET219549764147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:49.756659985 CET219549764147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:49.760987997 CET497642195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:49.761048079 CET497642195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:49.761910915 CET497652195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:49.768110037 CET219549764147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:49.768121958 CET219549765147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:49.768204927 CET497652195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:49.771789074 CET497652195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:49.778637886 CET219549765147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:51.289968014 CET219549765147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:51.290039062 CET497652195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:51.290116072 CET497652195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:51.294853926 CET219549765147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:52.298211098 CET497662195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:52.303164005 CET219549766147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:52.303237915 CET497662195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:52.307110071 CET497662195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:52.311867952 CET219549766147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:53.805490971 CET219549766147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:53.805704117 CET497662195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:53.805830956 CET497662195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:53.806586027 CET497672195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:53.810625076 CET219549766147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:53.811367989 CET219549767147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:53.811603069 CET497672195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:53.815325975 CET497672195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:53.820125103 CET219549767147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:55.324925900 CET219549767147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:55.325020075 CET497672195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:55.325090885 CET497672195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:55.329893112 CET219549767147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:56.329473972 CET497682195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:56.334322929 CET219549768147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:56.337007999 CET497682195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:56.340470076 CET497682195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:56.345247984 CET219549768147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:57.899322987 CET219549768147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:57.901031971 CET497682195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:57.901082993 CET497682195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:57.901999950 CET497692195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:57.905884981 CET219549768147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:57.906863928 CET219549769147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:57.907018900 CET497692195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:57.910510063 CET497692195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:57.915334940 CET219549769147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:59.414010048 CET219549769147.124.212.172192.168.2.8
                            Jan 8, 2025 16:55:59.414140940 CET497692195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:59.414228916 CET497692195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:55:59.419826031 CET219549769147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:00.423089981 CET497702195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:00.427972078 CET219549770147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:00.428037882 CET497702195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:00.431425095 CET497702195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:00.436208963 CET219549770147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:01.932632923 CET219549770147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:01.932713032 CET497702195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:01.932787895 CET497702195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:01.933634043 CET497712195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:01.937532902 CET219549770147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:01.938415051 CET219549771147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:01.938483953 CET497712195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:01.942001104 CET497712195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:01.946780920 CET219549771147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:03.477468014 CET219549771147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:03.480998993 CET497712195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:03.481043100 CET497712195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:03.485893011 CET219549771147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:04.485965014 CET497722195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:04.490868092 CET219549772147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:04.490932941 CET497722195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:04.494424105 CET497722195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:04.499181032 CET219549772147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:05.994955063 CET219549772147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:05.995028973 CET497722195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:05.995110035 CET497722195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:05.995835066 CET497732195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:05.999861002 CET219549772147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:06.000658989 CET219549773147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:06.000734091 CET497732195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:06.004255056 CET497732195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:06.009074926 CET219549773147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:07.510828972 CET219549773147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:07.512998104 CET497732195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:07.513060093 CET497732195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:07.517941952 CET219549773147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:08.517877102 CET497742195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:08.522886038 CET219549774147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:08.522964001 CET497742195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:08.526473045 CET497742195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:08.531259060 CET219549774147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:10.040258884 CET219549774147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:10.040365934 CET497742195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:10.040365934 CET497742195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:10.041305065 CET497752195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:10.045700073 CET219549774147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:10.046247005 CET219549775147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:10.046317101 CET497752195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:10.050157070 CET497752195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:10.054974079 CET219549775147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:11.554769993 CET219549775147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:11.554843903 CET497752195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:11.554914951 CET497752195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:11.559756041 CET219549775147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:12.564011097 CET497762195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:12.568979025 CET219549776147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:12.572992086 CET497762195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:12.576482058 CET497762195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:12.581238031 CET219549776147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:14.093890905 CET219549776147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:14.093962908 CET497762195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:14.094001055 CET497762195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:14.095254898 CET497772195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:14.098881960 CET219549776147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:14.100071907 CET219549777147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:14.100133896 CET497772195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:14.105520964 CET497772195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:14.110317945 CET219549777147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:15.585123062 CET219549777147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:15.587152004 CET497772195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:15.594521999 CET497772195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:15.599376917 CET219549777147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:16.936451912 CET497782195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:16.941301107 CET219549778147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:16.943181992 CET497782195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:16.946649075 CET497782195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:16.951432943 CET219549778147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:18.484982967 CET219549778147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:18.485040903 CET497782195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:18.485106945 CET497782195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:18.487472057 CET497792195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:18.489896059 CET219549778147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:18.492333889 CET219549779147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:18.492399931 CET497792195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:18.495876074 CET497792195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:18.500812054 CET219549779147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:20.094152927 CET219549779147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:20.094250917 CET497792195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:20.095253944 CET497792195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:20.100079060 CET219549779147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:21.063885927 CET497802195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:21.068917036 CET219549780147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:21.073019028 CET497802195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:21.076899052 CET497802195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:21.081737041 CET219549780147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:22.604545116 CET219549780147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:22.605024099 CET497802195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:22.605164051 CET497802195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:22.606503963 CET497812195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:22.610019922 CET219549780147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:22.611404896 CET219549781147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:22.611499071 CET497812195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:22.623429060 CET497812195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:22.628339052 CET219549781147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:24.214139938 CET219549781147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:24.215995073 CET497812195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:24.216034889 CET497812195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:24.220886946 CET219549781147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:25.157582998 CET497822195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:25.162556887 CET219549782147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:25.162668943 CET497822195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:25.166182995 CET497822195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:25.170958996 CET219549782147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:26.667479992 CET219549782147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:26.667562962 CET497822195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:26.667653084 CET497822195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:26.668502092 CET497832195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:26.672390938 CET219549782147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:26.673269987 CET219549783147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:26.673346996 CET497832195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:26.676856995 CET497832195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:26.681616068 CET219549783147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:28.164037943 CET219549783147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:28.165056944 CET497832195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:28.165105104 CET497832195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:28.170236111 CET219549783147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:29.079936028 CET497842195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:29.084789038 CET219549784147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:29.084866047 CET497842195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:29.089716911 CET497842195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:29.094520092 CET219549784147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:30.616321087 CET219549784147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:30.619328022 CET497842195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:30.619386911 CET497842195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:30.620318890 CET497852195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:30.624144077 CET219549784147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:30.625102997 CET219549785147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:30.625339985 CET497852195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:30.628896952 CET497852195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:30.633699894 CET219549785147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:32.158499956 CET219549785147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:32.158610106 CET497852195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:32.158760071 CET497852195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:32.163546085 CET219549785147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:33.048377991 CET497862195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:33.053287029 CET219549786147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:33.055097103 CET497862195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:33.058578968 CET497862195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:33.063327074 CET219549786147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:34.538611889 CET219549786147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:34.538688898 CET497862195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:34.538738966 CET497862195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:34.539618969 CET497872195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:34.543513060 CET219549786147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:34.544423103 CET219549787147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:34.544491053 CET497872195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:34.547980070 CET497872195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:34.552752972 CET219549787147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:36.075556040 CET219549787147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:36.075634003 CET497872195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:36.075689077 CET497872195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:36.080462933 CET219549787147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:36.923726082 CET497882195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:36.928603888 CET219549788147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:36.929733992 CET497882195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:36.933290005 CET497882195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:36.938111067 CET219549788147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:38.414413929 CET219549788147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:38.414494038 CET497882195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:38.414536953 CET497882195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:38.415384054 CET497892195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:38.419416904 CET219549788147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:38.420170069 CET219549789147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:38.420357943 CET497892195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:38.423906088 CET497892195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:38.428666115 CET219549789147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:39.914349079 CET219549789147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:39.914469004 CET497892195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:39.914544106 CET497892195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:39.919460058 CET219549789147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:40.735790968 CET497902195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:40.740726948 CET219549790147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:40.740839958 CET497902195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:40.744335890 CET497902195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:40.749103069 CET219549790147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:42.261387110 CET219549790147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:42.261447906 CET497902195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:42.261585951 CET497902195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:42.262717009 CET497912195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:42.266350031 CET219549790147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:42.267556906 CET219549791147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:42.267627001 CET497912195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:42.272488117 CET497912195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:42.277318001 CET219549791147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:43.773905993 CET219549791147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:43.775249004 CET497912195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:43.775409937 CET497912195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:43.781100988 CET219549791147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:44.579546928 CET497922195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:44.585144043 CET219549792147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:44.585251093 CET497922195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:44.588634968 CET497922195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:44.594163895 CET219549792147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:46.089519978 CET219549792147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:46.089585066 CET497922195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:46.089649916 CET497922195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:46.090883017 CET497932195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:46.094418049 CET219549792147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:46.095689058 CET219549793147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:46.095766068 CET497932195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:46.099332094 CET497932195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:46.104168892 CET219549793147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:47.606725931 CET219549793147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:47.606794119 CET497932195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:47.606877089 CET497932195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:47.611767054 CET219549793147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:48.979743004 CET497942195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:48.984662056 CET219549794147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:48.986104965 CET497942195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:48.989867926 CET497942195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:48.994658947 CET219549794147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:50.475975037 CET219549794147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:50.479070902 CET497942195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:50.479135990 CET497942195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:50.480140924 CET497952195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:50.483939886 CET219549794147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:50.484931946 CET219549795147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:50.485034943 CET497952195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:50.496320009 CET497952195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:50.501132965 CET219549795147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:51.993046999 CET219549795147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:51.993155003 CET497952195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:51.993186951 CET497952195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:51.997983932 CET219549795147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:52.735769033 CET497962195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:52.740894079 CET219549796147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:52.741043091 CET497962195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:52.746494055 CET497962195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:52.751231909 CET219549796147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:54.242691994 CET219549796147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:54.245002985 CET497962195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:54.245049000 CET497962195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:54.245878935 CET497972195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:54.249860048 CET219549796147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:54.250787973 CET219549797147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:54.250894070 CET497972195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:54.254297018 CET497972195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:54.259080887 CET219549797147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:55.757798910 CET219549797147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:55.759187937 CET497972195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:55.759278059 CET497972195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:55.764034033 CET219549797147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:56.485846043 CET497982195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:56.490794897 CET219549798147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:56.493009090 CET497982195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:56.496551991 CET497982195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:56.501374960 CET219549798147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:58.006671906 CET219549798147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:58.007505894 CET497982195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:58.007623911 CET497982195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:58.008972883 CET497992195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:58.012408972 CET219549798147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:58.013823032 CET219549799147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:58.013972998 CET497992195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:58.017683029 CET497992195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:58.022480965 CET219549799147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:59.509754896 CET219549799147.124.212.172192.168.2.8
                            Jan 8, 2025 16:56:59.511142969 CET497992195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:59.513288021 CET497992195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:56:59.518043041 CET219549799147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:00.204771042 CET498002195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:00.210721016 CET219549800147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:00.211045027 CET498002195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:00.214483023 CET498002195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:00.220283031 CET219549800147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:01.740833998 CET219549800147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:01.745196104 CET498002195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:01.745196104 CET498002195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:01.745985985 CET498012195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:01.750051022 CET219549800147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:01.750847101 CET219549801147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:01.750931025 CET498012195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:01.754374027 CET498012195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:01.759114981 CET219549801147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:03.246205091 CET219549801147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:03.246273041 CET498012195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:03.246332884 CET498012195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:03.251069069 CET219549801147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:03.924079895 CET498022195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:03.929058075 CET219549802147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:03.929212093 CET498022195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:03.937233925 CET498022195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:03.942054033 CET219549802147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:05.433007002 CET219549802147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:05.433098078 CET498022195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:05.433183908 CET498022195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:05.434452057 CET498032195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:05.437964916 CET219549802147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:05.439256907 CET219549803147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:05.439321041 CET498032195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:05.472804070 CET498032195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:05.477564096 CET219549803147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:06.945755959 CET219549803147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:06.949049950 CET498032195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:06.949094057 CET498032195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:06.954344988 CET219549803147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:07.595257044 CET498042195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:07.600197077 CET219549804147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:07.600272894 CET498042195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:07.605391026 CET498042195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:07.610250950 CET219549804147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:09.117161036 CET219549804147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:09.119458914 CET498042195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:09.120244980 CET498042195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:09.120248079 CET498052195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:09.125699997 CET219549804147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:09.125732899 CET219549805147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:09.125811100 CET498052195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:09.134962082 CET498052195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:09.140495062 CET219549805147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:10.637820005 CET219549805147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:10.637914896 CET498052195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:10.637981892 CET498052195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:10.642826080 CET219549805147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:11.266931057 CET498062195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:11.271982908 CET219549806147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:11.273037910 CET498062195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:11.276654005 CET498062195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:11.281420946 CET219549806147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:12.778024912 CET219549806147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:12.778084993 CET498062195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:12.778182030 CET498062195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:12.779086113 CET498072195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:12.782906055 CET219549806147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:12.783921957 CET219549807147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:12.783987045 CET498072195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:12.787796974 CET498072195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:12.792562962 CET219549807147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:14.290313005 CET219549807147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:14.290399075 CET498072195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:14.290446043 CET498072195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:14.295259953 CET219549807147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:14.907977104 CET498082195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:14.912832022 CET219549808147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:14.912906885 CET498082195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:14.918695927 CET498082195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:14.923460960 CET219549808147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:16.430030107 CET219549808147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:16.430169106 CET498082195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:16.430206060 CET498082195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:16.431045055 CET498092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:16.436072111 CET219549808147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:16.436558962 CET219549809147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:16.436638117 CET498092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:16.440049887 CET498092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:16.445641994 CET219549809147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:17.960270882 CET219549809147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:17.965102911 CET498092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:17.965146065 CET498092195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:17.970032930 CET219549809147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:18.548340082 CET498102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:18.553333044 CET219549810147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:18.553411007 CET498102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:18.556930065 CET498102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:18.561686039 CET219549810147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:20.076736927 CET219549810147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:20.076812029 CET498102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:20.076862097 CET498102195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:20.077847004 CET498112195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:20.081644058 CET219549810147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:20.082695961 CET219549811147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:20.082777023 CET498112195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:20.086419106 CET498112195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:20.091176033 CET219549811147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:21.591408014 CET219549811147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:21.591474056 CET498112195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:21.591528893 CET498112195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:21.596354961 CET219549811147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:22.511451006 CET498122195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:22.516311884 CET219549812147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:22.516391993 CET498122195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:22.532048941 CET498122195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:22.536865950 CET219549812147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:24.023986101 CET219549812147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:24.024214029 CET498122195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:24.024264097 CET498122195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:24.025082111 CET498132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:24.029033899 CET219549812147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:24.029876947 CET219549813147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:24.033051968 CET498132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:24.036277056 CET498132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:24.041093111 CET219549813147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:25.524322987 CET219549813147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:25.524388075 CET498132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:25.524460077 CET498132195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:25.530081034 CET219549813147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:26.079669952 CET498142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:26.085679054 CET219549814147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:26.089065075 CET498142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:26.092544079 CET498142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:26.097357988 CET219549814147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:27.571523905 CET219549814147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:27.571631908 CET498142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:27.571676970 CET498142195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:27.572561026 CET498152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:27.576502085 CET219549814147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:27.577364922 CET219549815147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:27.577429056 CET498152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:27.580878973 CET498152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:27.585652113 CET219549815147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:29.054896116 CET219549815147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:29.054960966 CET498152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:29.055119991 CET498152195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:29.060204029 CET219549815147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:29.595726013 CET498162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:29.600574970 CET219549816147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:29.600652933 CET498162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:29.605564117 CET498162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:29.610373974 CET219549816147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:31.122065067 CET219549816147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:31.122172117 CET498162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:31.127983093 CET498162195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:31.130434990 CET498172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:31.132800102 CET219549816147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:31.135298967 CET219549817147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:31.135370970 CET498172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:31.139055014 CET498172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:31.143846989 CET219549817147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:32.617759943 CET219549817147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:32.617835999 CET498172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:32.617892981 CET498172195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:32.622673988 CET219549817147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:33.126471996 CET498182195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:33.131294966 CET219549818147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:33.131360054 CET498182195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:33.134835005 CET498182195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:33.139710903 CET219549818147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:34.617793083 CET219549818147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:34.619436026 CET498182195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:34.619486094 CET498182195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:34.620266914 CET498192195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:34.624218941 CET219549818147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:34.625125885 CET219549819147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:34.625250101 CET498192195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:34.636662960 CET498192195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:34.641453981 CET219549819147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:36.137443066 CET219549819147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:36.140048027 CET498192195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:36.140100956 CET498192195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:36.144851923 CET219549819147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:36.658386946 CET498202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:36.663225889 CET219549820147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:36.663343906 CET498202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:36.667675018 CET498202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:36.672454119 CET219549820147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:38.149188995 CET219549820147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:38.151089907 CET498202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:38.151139021 CET498202195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:38.152012110 CET498212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:38.155925035 CET219549820147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:38.156778097 CET219549821147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:38.159120083 CET498212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:38.162388086 CET498212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:38.167135954 CET219549821147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:39.655567884 CET219549821147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:39.655668020 CET498212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:39.655724049 CET498212195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:39.660487890 CET219549821147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:40.141884089 CET498222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:40.146671057 CET219549822147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:40.146744967 CET498222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:40.149971008 CET498222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:40.154769897 CET219549822147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:41.951611042 CET219549822147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:41.953039885 CET498222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:41.953075886 CET498222195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:41.953965902 CET498232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:41.957907915 CET219549822147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:41.958766937 CET219549823147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:41.958867073 CET498232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:41.962038040 CET498232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:41.966842890 CET219549823147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:43.461884975 CET219549823147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:43.461949110 CET498232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:43.461990118 CET498232195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:43.466814041 CET219549823147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:43.923285961 CET498242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:43.928111076 CET219549824147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:43.928217888 CET498242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:43.931483984 CET498242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:43.936244965 CET219549824147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:45.436088085 CET219549824147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:45.437055111 CET498242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:45.437210083 CET498242195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:45.437932014 CET498252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:45.442069054 CET219549824147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:45.442764044 CET219549825147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:45.442877054 CET498252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:45.446136951 CET498252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:45.450937986 CET219549825147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:47.069304943 CET219549825147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:47.073040962 CET498252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:47.073091030 CET498252195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:47.078969955 CET219549825147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:47.532797098 CET498262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:47.537638903 CET219549826147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:47.537833929 CET498262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:47.541220903 CET498262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:47.545993090 CET219549826147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:49.199022055 CET219549826147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:49.199115992 CET498262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:49.199585915 CET498262195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:49.204400063 CET219549826147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:49.213423967 CET498272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:49.218355894 CET219549827147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:49.218425989 CET498272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:49.221787930 CET498272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:49.226635933 CET219549827147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:50.809813023 CET219549827147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:50.809966087 CET498272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:50.810055017 CET498272195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:50.814866066 CET219549827147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:51.252624035 CET498282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:51.257484913 CET219549828147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:51.257570028 CET498282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:51.262988091 CET498282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:51.267816067 CET219549828147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:52.820779085 CET219549828147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:52.823188066 CET498282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:52.823230028 CET498282195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:52.824290037 CET498292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:52.828082085 CET219549828147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:52.829137087 CET219549829147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:52.832119942 CET498292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:52.837938070 CET498292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:52.842771053 CET219549829147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:54.367738962 CET219549829147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:54.367796898 CET498292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:54.367852926 CET498292195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:54.372673988 CET219549829147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:54.917335033 CET498302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:54.922113895 CET219549830147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:54.925096035 CET498302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:54.935233116 CET498302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:54.940238953 CET219549830147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:56.415488958 CET219549830147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:56.415545940 CET498302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:56.415622950 CET498302195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:56.416493893 CET498312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:56.420466900 CET219549830147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:56.421355963 CET219549831147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:56.421416044 CET498312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:56.426280022 CET498312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:56.431189060 CET219549831147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:57.932703018 CET219549831147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:57.932827950 CET498312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:57.932913065 CET498312195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:57.937638044 CET219549831147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:58.345521927 CET498322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:58.350279093 CET219549832147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:58.353081942 CET498322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:58.356617928 CET498322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:58.361403942 CET219549832147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:59.856997967 CET219549832147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:59.857060909 CET498322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:59.857192993 CET498322195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:59.858930111 CET498332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:59.861927032 CET219549832147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:59.863749981 CET219549833147.124.212.172192.168.2.8
                            Jan 8, 2025 16:57:59.863820076 CET498332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:59.868678093 CET498332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:57:59.873471975 CET219549833147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:01.355792999 CET219549833147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:01.356007099 CET498332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:01.356092930 CET498332195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:01.360894918 CET219549833147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:01.752768993 CET498342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:01.757565022 CET219549834147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:01.757642031 CET498342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:01.763103008 CET498342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:01.767930031 CET219549834147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:03.245172977 CET219549834147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:03.245285034 CET498342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:03.245337963 CET498342195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:03.246210098 CET498352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:03.250160933 CET219549834147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:03.251018047 CET219549835147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:03.251090050 CET498352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:03.254323006 CET498352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:03.259202003 CET219549835147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:04.764569044 CET219549835147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:04.765048981 CET498352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:04.765088081 CET498352195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:04.769915104 CET219549835147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:05.141985893 CET498362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:05.146872044 CET219549836147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:05.149065971 CET498362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:05.152311087 CET498362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:05.159137011 CET219549836147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:06.649620056 CET219549836147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:06.649697065 CET498362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:06.649812937 CET498362195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:06.650527000 CET498372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:06.654547930 CET219549836147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:06.655328989 CET219549837147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:06.655406952 CET498372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:06.660857916 CET498372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:06.665604115 CET219549837147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:08.165301085 CET219549837147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:08.165371895 CET498372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:08.165446997 CET498372195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:08.170229912 CET219549837147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:08.533580065 CET498382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:08.538386106 CET219549838147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:08.538482904 CET498382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:08.543709040 CET498382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:08.548491001 CET219549838147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:10.051295996 CET219549838147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:10.051373005 CET498382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:10.051419973 CET498382195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:10.052253962 CET498392195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:10.058368921 CET219549838147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:10.059376001 CET219549839147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:10.060847998 CET498392195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:10.065056086 CET498392195192.168.2.8147.124.212.172
                            Jan 8, 2025 16:58:10.072041035 CET219549839147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:11.574630976 CET219549839147.124.212.172192.168.2.8
                            Jan 8, 2025 16:58:11.574707985 CET498392195192.168.2.8147.124.212.172

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 8, 2025 16:54:05.820558071 CET6096753192.168.2.81.1.1.1
                            Jan 8, 2025 16:54:06.428675890 CET53609671.1.1.1192.168.2.8
                            Jan 8, 2025 16:54:07.986323118 CET5141753192.168.2.81.1.1.1
                            Jan 8, 2025 16:54:07.999684095 CET53514171.1.1.1192.168.2.8
                            Jan 8, 2025 16:54:39.391844034 CET6284553192.168.2.81.1.1.1
                            Jan 8, 2025 16:54:39.505935907 CET53628451.1.1.1192.168.2.8
                            Jan 8, 2025 16:55:11.829169035 CET5137153192.168.2.81.1.1.1
                            Jan 8, 2025 16:55:11.942260027 CET53513711.1.1.1192.168.2.8
                            Jan 8, 2025 16:55:44.103054047 CET5604053192.168.2.81.1.1.1
                            Jan 8, 2025 16:55:44.216670990 CET53560401.1.1.1192.168.2.8
                            Jan 8, 2025 16:56:16.611042976 CET6192553192.168.2.81.1.1.1
                            Jan 8, 2025 16:56:16.935010910 CET53619251.1.1.1192.168.2.8
                            Jan 8, 2025 16:56:48.376135111 CET6391753192.168.2.81.1.1.1
                            Jan 8, 2025 16:56:48.977799892 CET53639171.1.1.1192.168.2.8
                            Jan 8, 2025 16:57:22.176779985 CET6196753192.168.2.81.1.1.1
                            Jan 8, 2025 16:57:22.502074003 CET53619671.1.1.1192.168.2.8
                            Jan 8, 2025 16:57:54.801136971 CET5824653192.168.2.81.1.1.1
                            Jan 8, 2025 16:57:54.913652897 CET53582461.1.1.1192.168.2.8

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jan 8, 2025 16:54:05.820558071 CET192.168.2.81.1.1.10xe7aeStandard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:54:07.986323118 CET192.168.2.81.1.1.10xfc98Standard query (0)teewire.ydns.euA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:54:39.391844034 CET192.168.2.81.1.1.10xa336Standard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:55:11.829169035 CET192.168.2.81.1.1.10x220bStandard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:55:44.103054047 CET192.168.2.81.1.1.10xfbd0Standard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:56:16.611042976 CET192.168.2.81.1.1.10x7a21Standard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:56:48.376135111 CET192.168.2.81.1.1.10x2df6Standard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:57:22.176779985 CET192.168.2.81.1.1.10x54f0Standard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false
                            Jan 8, 2025 16:57:54.801136971 CET192.168.2.81.1.1.10x7e71Standard query (0)teebro1800.dynamic-dns.netA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 8, 2025 16:54:06.428675890 CET1.1.1.1192.168.2.80xe7aeNo error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:54:07.999684095 CET1.1.1.1192.168.2.80xfc98No error (0)teewire.ydns.eu147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:54:39.505935907 CET1.1.1.1192.168.2.80xa336No error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:55:11.942260027 CET1.1.1.1192.168.2.80x220bNo error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:55:44.216670990 CET1.1.1.1192.168.2.80xfbd0No error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:56:16.935010910 CET1.1.1.1192.168.2.80x7a21No error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:56:48.977799892 CET1.1.1.1192.168.2.80x2df6No error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:57:22.502074003 CET1.1.1.1192.168.2.80x54f0No error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false
                            Jan 8, 2025 16:57:54.913652897 CET1.1.1.1192.168.2.80x7e71No error (0)teebro1800.dynamic-dns.net147.124.212.172A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:10:54:02
                            Start date:08/01/2025
                            Path:C:\Users\user\Desktop\Payment Swift CopyMT103.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Payment Swift CopyMT103.exe"
                            Imagebase:0x980000
                            File size:995'840 bytes
                            MD5 hash:BED1442A4F50A01CA78BAFFD48313104
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1429290912.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1424555615.0000000004B3E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1424555615.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:10:54:03
                            Start date:08/01/2025
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AASHNosznogz.exe"
                            Imagebase:0xd20000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:10:54:04
                            Start date:08/01/2025
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F2.tmp"
                            Imagebase:0x7a0000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:10:54:04
                            Start date:08/01/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6ee680000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:10:54:04
                            Start date:08/01/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6ee680000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:10:54:04
                            Start date:08/01/2025
                            Path:C:\Users\user\Desktop\Payment Swift CopyMT103.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Payment Swift CopyMT103.exe"
                            Imagebase:0xa80000
                            File size:995'840 bytes
                            MD5 hash:BED1442A4F50A01CA78BAFFD48313104
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3868496825.0000000001007000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:8
                            Start time:10:54:05
                            Start date:08/01/2025
                            Path:C:\Users\user\AppData\Roaming\AASHNosznogz.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Roaming\AASHNosznogz.exe
                            Imagebase:0x3f0000
                            File size:995'840 bytes
                            MD5 hash:BED1442A4F50A01CA78BAFFD48313104
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 71%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:9
                            Start time:10:54:06
                            Start date:08/01/2025
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff605670000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:10:54:08
                            Start date:08/01/2025
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AASHNosznogz" /XML "C:\Users\user\AppData\Local\Temp\tmpD65D.tmp"
                            Imagebase:0x7a0000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:10:54:08
                            Start date:08/01/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6ee680000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:10:54:08
                            Start date:08/01/2025
                            Path:C:\Users\user\AppData\Roaming\AASHNosznogz.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\AASHNosznogz.exe"
                            Imagebase:0xf90000
                            File size:995'840 bytes
                            MD5 hash:BED1442A4F50A01CA78BAFFD48313104
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1457396479.000000000166A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:11.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:2.2%
                              Total number of Nodes:135
                              Total number of Limit Nodes:9
                              execution_graph 50783 fbb1f8 50786 fbb2df 50783->50786 50784 fbb207 50787 fbb324 50786->50787 50788 fbb301 50786->50788 50787->50784 50788->50787 50789 fbb528 GetModuleHandleW 50788->50789 50790 fbb555 50789->50790 50790->50784 50791 fb4668 50792 fb467a 50791->50792 50793 fb4686 50792->50793 50795 fb4778 50792->50795 50796 fb479d 50795->50796 50800 fb4888 50796->50800 50804 fb4877 50796->50804 50801 fb48af 50800->50801 50803 fb498c 50801->50803 50808 fb44b4 50801->50808 50806 fb48af 50804->50806 50805 fb498c 50805->50805 50806->50805 50807 fb44b4 CreateActCtxA 50806->50807 50807->50805 50809 fb5918 CreateActCtxA 50808->50809 50811 fb59db 50809->50811 50811->50811 50926 fbd7c8 DuplicateHandle 50927 fbd85e 50926->50927 50812 7276e00 50813 7276e3a 50812->50813 50814 7276eb6 50813->50814 50815 7276ecb 50813->50815 50820 72751fc 50814->50820 50817 72751fc 3 API calls 50815->50817 50819 7276eda 50817->50819 50821 7275207 50820->50821 50822 7276ec1 50821->50822 50825 7277820 50821->50825 50832 7277810 50821->50832 50826 727782f 50825->50826 50839 7275244 50826->50839 50829 7277847 50829->50822 50830 727785f CreateIconFromResourceEx 50831 72778ee 50830->50831 50831->50822 50833 7277813 50832->50833 50834 7275244 CreateIconFromResourceEx 50833->50834 50835 727783a 50834->50835 50836 7277847 50835->50836 50837 727785f CreateIconFromResourceEx 50835->50837 50836->50822 50838 72778ee 50837->50838 50838->50822 50840 7277870 CreateIconFromResourceEx 50839->50840 50841 727783a 50840->50841 50841->50829 50841->50830 50842 f6d01c 50843 f6d034 50842->50843 50844 f6d08e 50843->50844 50849 2dd2d08 50843->50849 50858 2dd1fa8 50843->50858 50862 2dd1f98 50843->50862 50866 2dd0bac 50843->50866 50852 2dd2d45 50849->50852 50850 2dd2d79 50891 2dd0cd4 50850->50891 50852->50850 50853 2dd2d69 50852->50853 50875 2dd2f6c 50853->50875 50881 2dd2ea0 50853->50881 50886 2dd2e9f 50853->50886 50854 2dd2d77 50859 2dd1fce 50858->50859 50860 2dd0bac CallWindowProcW 50859->50860 50861 2dd1fef 50860->50861 50861->50844 50863 2dd1fce 50862->50863 50864 2dd0bac CallWindowProcW 50863->50864 50865 2dd1fef 50864->50865 50865->50844 50867 2dd0bb7 50866->50867 50868 2dd2d79 50867->50868 50870 2dd2d69 50867->50870 50869 2dd0cd4 CallWindowProcW 50868->50869 50871 2dd2d77 50869->50871 50872 2dd2f6c CallWindowProcW 50870->50872 50873 2dd2e9f CallWindowProcW 50870->50873 50874 2dd2ea0 CallWindowProcW 50870->50874 50872->50871 50873->50871 50874->50871 50876 2dd2f7a 50875->50876 50877 2dd2f2a 50875->50877 50895 2dd2f48 50877->50895 50899 2dd2f58 50877->50899 50878 2dd2f40 50878->50854 50883 2dd2eb4 50881->50883 50882 2dd2f40 50882->50854 50884 2dd2f58 CallWindowProcW 50883->50884 50885 2dd2f48 CallWindowProcW 50883->50885 50884->50882 50885->50882 50888 2dd2eb4 50886->50888 50887 2dd2f40 50887->50854 50889 2dd2f58 CallWindowProcW 50888->50889 50890 2dd2f48 CallWindowProcW 50888->50890 50889->50887 50890->50887 50892 2dd0cdf 50891->50892 50893 2dd445a CallWindowProcW 50892->50893 50894 2dd4409 50892->50894 50893->50894 50894->50854 50896 2dd2f58 50895->50896 50898 2dd2f69 50896->50898 50902 2dd439e 50896->50902 50898->50878 50900 2dd2f69 50899->50900 50901 2dd439e CallWindowProcW 50899->50901 50900->50878 50901->50900 50903 2dd0cd4 CallWindowProcW 50902->50903 50904 2dd43aa 50903->50904 50904->50898 50928 fbd580 50929 fbd5c6 GetCurrentProcess 50928->50929 50931 fbd618 GetCurrentThread 50929->50931 50932 fbd611 50929->50932 50933 fbd64e 50931->50933 50934 fbd655 GetCurrentProcess 50931->50934 50932->50931 50933->50934 50937 fbd68b 50934->50937 50935 fbd6b3 GetCurrentThreadId 50936 fbd6e4 50935->50936 50937->50935 50905 2dd1df0 50906 2dd1e58 CreateWindowExW 50905->50906 50908 2dd1f14 50906->50908 50938 2ddc4e0 50939 2ddc516 50938->50939 50940 2ddc5d6 50939->50940 50943 53b4e41 50939->50943 50947 53b4e50 50939->50947 50944 53b4e93 50943->50944 50945 53b4eb1 MonitorFromPoint 50944->50945 50946 53b4ee2 50944->50946 50945->50946 50946->50940 50948 53b4e93 50947->50948 50949 53b4eb1 MonitorFromPoint 50948->50949 50950 53b4ee2 50948->50950 50949->50950 50950->50940 50909 7275448 50911 7275469 50909->50911 50910 7275481 50911->50910 50915 7275ac8 50911->50915 50919 7275ad8 50911->50919 50912 7275593 50916 7275ad0 50915->50916 50916->50916 50922 72750dc 50916->50922 50920 7275af5 50919->50920 50921 72750dc DrawTextExW 50919->50921 50920->50912 50921->50920 50923 7275b10 DrawTextExW 50922->50923 50925 7275af5 50923->50925 50925->50912

                              Executed Functions

                              Function 0727B688 Relevance: 2.3, Strings: 1, Instructions: 1029COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1566 727b688-727b6a9 1567 727b6b0-727b79c 1566->1567 1568 727b6ab 1566->1568 1570 727b7a2-727b8f6 1567->1570 1571 727bfc9-727bff1 1567->1571 1568->1567 1615 727bf97-727bfc7 1570->1615 1616 727b8fc-727b957 1570->1616 1574 727c6d3-727c6dc 1571->1574 1575 727c6e2-727c6f9 1574->1575 1576 727bfff-727c008 1574->1576 1578 727c00f-727c0e8 1576->1578 1579 727c00a 1576->1579 1738 727c0ee call 727c8b2 1578->1738 1739 727c0ee call 727c928 1578->1739 1740 727c0ee call 727c938 1578->1740 1579->1578 1596 727c0f4-727c101 1597 727c103-727c10f 1596->1597 1598 727c12b 1596->1598 1600 727c111-727c117 1597->1600 1601 727c119-727c11f 1597->1601 1602 727c131-727c150 1598->1602 1603 727c129 1600->1603 1601->1603 1606 727c152-727c1ab 1602->1606 1607 727c1b0-727c228 1602->1607 1603->1602 1619 727c6d0 1606->1619 1627 727c27f-727c2c2 1607->1627 1628 727c22a-727c27d 1607->1628 1615->1571 1622 727b95c-727b967 1616->1622 1623 727b959 1616->1623 1619->1574 1626 727beab-727beb1 1622->1626 1623->1622 1629 727beb7-727bf34 1626->1629 1630 727b96c-727b98a 1626->1630 1657 727c2cd-727c2d3 1627->1657 1628->1657 1671 727bf81-727bf87 1629->1671 1633 727b9e1-727b9f6 1630->1633 1634 727b98c-727b990 1630->1634 1636 727b9fd-727ba13 1633->1636 1637 727b9f8 1633->1637 1634->1633 1638 727b992-727b99d 1634->1638 1642 727ba15 1636->1642 1643 727ba1a-727ba31 1636->1643 1637->1636 1645 727b9d3-727b9d9 1638->1645 1642->1643 1646 727ba33 1643->1646 1647 727ba38-727ba4e 1643->1647 1649 727b99f-727b9a3 1645->1649 1650 727b9db-727b9dc 1645->1650 1646->1647 1655 727ba55-727ba5c 1647->1655 1656 727ba50 1647->1656 1653 727b9a5 1649->1653 1654 727b9a9-727b9c1 1649->1654 1651 727ba5f-727bad0 1650->1651 1662 727bae6-727bc5e 1651->1662 1663 727bad2 1651->1663 1653->1654 1659 727b9c3 1654->1659 1660 727b9c8-727b9d0 1654->1660 1655->1651 1656->1655 1661 727c32a-727c336 1657->1661 1659->1660 1660->1645 1664 727c2d5-727c2f7 1661->1664 1665 727c338-727c3bf 1661->1665 1672 727bc74-727bdaf 1662->1672 1673 727bc60 1662->1673 1663->1662 1666 727bad4-727bae0 1663->1666 1669 727c2fe-727c327 1664->1669 1670 727c2f9 1664->1670 1696 727c544-727c54d 1665->1696 1666->1662 1669->1661 1670->1669 1676 727bf36-727bf7e 1671->1676 1677 727bf89-727bf8f 1671->1677 1686 727be13-727be28 1672->1686 1687 727bdb1-727bdb5 1672->1687 1673->1672 1678 727bc62-727bc6e 1673->1678 1676->1671 1677->1615 1678->1672 1688 727be2f-727be50 1686->1688 1689 727be2a 1686->1689 1687->1686 1690 727bdb7-727bdc6 1687->1690 1693 727be57-727be76 1688->1693 1694 727be52 1688->1694 1689->1688 1695 727be05-727be0b 1690->1695 1701 727be7d-727be9d 1693->1701 1702 727be78 1693->1702 1694->1693 1697 727be0d-727be0e 1695->1697 1698 727bdc8-727bdcc 1695->1698 1699 727c3c4-727c3d9 1696->1699 1700 727c553-727c5ae 1696->1700 1703 727bea8 1697->1703 1704 727bdd6-727bdf7 1698->1704 1705 727bdce-727bdd2 1698->1705 1706 727c3e2-727c538 1699->1706 1707 727c3db 1699->1707 1724 727c5e5-727c60f 1700->1724 1725 727c5b0-727c5e3 1700->1725 1708 727bea4 1701->1708 1709 727be9f 1701->1709 1702->1701 1703->1626 1712 727bdfe-727be02 1704->1712 1713 727bdf9 1704->1713 1705->1704 1728 727c53e 1706->1728 1707->1706 1714 727c4b7-727c4f7 1707->1714 1715 727c472-727c4b2 1707->1715 1716 727c42d-727c46d 1707->1716 1717 727c3e8-727c428 1707->1717 1708->1703 1709->1708 1712->1695 1713->1712 1714->1728 1715->1728 1716->1728 1717->1728 1733 727c618-727c6c4 1724->1733 1725->1733 1728->1696 1733->1619 1738->1596 1739->1596 1740->1596
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID: \ lw
                              • API String ID: 0-2684086738
                              • Opcode ID: f18400bb79ba1f3cd1e30032275faac53fefd6defdc64684b0bca34ef1363818
                              • Instruction ID: c459f53f78a66e8ef0f6c359967fa62ef26edf6cdd334ca69b9b0074a18d06f6
                              • Opcode Fuzzy Hash: f18400bb79ba1f3cd1e30032275faac53fefd6defdc64684b0bca34ef1363818
                              • Instruction Fuzzy Hash: 0EB2C575E00228CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB265DB319E81CF50
                              Function 072751FC Relevance: .6, Instructions: 624COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb935fe5e46d34a770c5f1331492639810976077fc3517e3e1a577200e6644be
                              • Instruction ID: a0a8deb6596cac9abe3eb50f3f9c8a91baffb4b4c30e8212d78b0d6f0d49589d
                              • Opcode Fuzzy Hash: eb935fe5e46d34a770c5f1331492639810976077fc3517e3e1a577200e6644be
                              • Instruction Fuzzy Hash: E2329FB0E102198FDB19DFB8C9507AEBBF2AF85300F148569D409AB395DB349D85CB91
                              Function 053B8664 Relevance: .6, Instructions: 592COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1427096490.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_53b0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e0df3d1051e96366ad20c5e6516699d1a5305aaa80b32cbabfe16f06a2db9b0f
                              • Instruction ID: b3bca806fd831ed6be3aecb153427c38fec7888519cebaf0c20f3c989f312be3
                              • Opcode Fuzzy Hash: e0df3d1051e96366ad20c5e6516699d1a5305aaa80b32cbabfe16f06a2db9b0f
                              • Instruction Fuzzy Hash: 7B525E34A003058FDB14DF28C844BD9B7B2FF85314F2586A9D5586F3A2DBB1A986CF81
                              Function 053BF100 Relevance: .6, Instructions: 579COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1427096490.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_53b0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 89fe6d868ba13f1e6f66a62b21ba8242bc79d0db5eb6037d9eb4f9b1d2f6b334
                              • Instruction ID: 89ec0b7407272e009d146f21c6edf3eeb8e9163d633a806c462aeb04987d3152
                              • Opcode Fuzzy Hash: 89fe6d868ba13f1e6f66a62b21ba8242bc79d0db5eb6037d9eb4f9b1d2f6b334
                              • Instruction Fuzzy Hash: 40525E34A003458FDB14DF28C844BD9B7B2FF85314F2586A9D5586F3A2DBB1A986CF81
                              Function 07270CF8 Relevance: .6, Instructions: 556COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 093a9d8a3219c8a85eac2feb97af414285c2684209edc00a5795431a8e1044a5
                              • Instruction ID: 013ed07b8e4bbc6074d0054ececa9cdeccb82117b2f91923e5ced56412959176
                              • Opcode Fuzzy Hash: 093a9d8a3219c8a85eac2feb97af414285c2684209edc00a5795431a8e1044a5
                              • Instruction Fuzzy Hash: F242F970A1061ACFCB14DF68C994AEDF7F1FF89300F1486AAD449AB251EB70A985CF50
                              Function 07270F60 Relevance: .4, Instructions: 372COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68e3ef3bc7788fba136b0f30536f99f68950f12b3385a10fac8918462146fc33
                              • Instruction ID: bab1bcec898d974a721cc8d74ea9641589d079369d12b82dc328447f679efdff
                              • Opcode Fuzzy Hash: 68e3ef3bc7788fba136b0f30536f99f68950f12b3385a10fac8918462146fc33
                              • Instruction Fuzzy Hash: D312A575D1071A8FCB15DF68C980AD9F7B1BF89300F15C6AAD859A7211EB70AAC4CF90
                              Function 07275157 Relevance: .3, Instructions: 314COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dcf99242697060a38c74d950d0984da5c1eaf31285e331b4571ef50aa6228964
                              • Instruction ID: 45e4f712f3a84885fa57b68b9c76e7ed3064c6b033eb0f24a1a29eb0691526be
                              • Opcode Fuzzy Hash: dcf99242697060a38c74d950d0984da5c1eaf31285e331b4571ef50aa6228964
                              • Instruction Fuzzy Hash: 50D19AB0E10259CFDF15CFA5C98079ABBF2EF85300F0485AAD849AB255EB309985CF91
                              Function 07276EE8 Relevance: .3, Instructions: 286COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 188d7fb1290f6792e49979ee18b7d4e253e02bcaa5279b5a9b600597dc866fbf
                              • Instruction ID: dfec23fb2bbf69ade023943a0119d39682c1d102b29dc8ca71dd0a894c3b7a3c
                              • Opcode Fuzzy Hash: 188d7fb1290f6792e49979ee18b7d4e253e02bcaa5279b5a9b600597dc866fbf
                              • Instruction Fuzzy Hash: 94C169B0E10219CFDF15CFA5CA8079EBBB2AF88300F14C5AAD849AB355DB319985CF51
                              Function 072751ED Relevance: .3, Instructions: 284COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f2c875e225dcc7532352f71a6b5c0dee493f3920b74e32bcc75d25055280507
                              • Instruction ID: 1f6535df2d7b6b53b6fe9f197f588d4958cf2f784003923ffa5864fbd5033d90
                              • Opcode Fuzzy Hash: 2f2c875e225dcc7532352f71a6b5c0dee493f3920b74e32bcc75d25055280507
                              • Instruction Fuzzy Hash: 4BC16BB0E10219CFDF15CFA5C98079EBBB2AF84300F14C5A9D849AB355EB719985CF51
                              Function 02DD0BD4 Relevance: .3, Instructions: 253COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36e51ab702923c35ac27c4a6471a4084736de6450adc45541cc61faf181386b2
                              • Instruction ID: a1f3a7f6c9adc04ed0d6b7dcf7218db78efd7ba9fbd60a77219a271997589c5d
                              • Opcode Fuzzy Hash: 36e51ab702923c35ac27c4a6471a4084736de6450adc45541cc61faf181386b2
                              • Instruction Fuzzy Hash: 72A15A35E0071ADFDB04DBA4DC9499DBBBAFF89310F148219E816AB3A5DB30AD45CB50
                              Function 02DD20F0 Relevance: .2, Instructions: 217COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5aa933bb477bf468fbbedb43f0bcbd458b4ebddd51ff3889939ec40b69fa55f4
                              • Instruction ID: f65e51bc5f88bd0f1872b305ecfc717f2019ff8398ee492f9eabe3e28b95915f
                              • Opcode Fuzzy Hash: 5aa933bb477bf468fbbedb43f0bcbd458b4ebddd51ff3889939ec40b69fa55f4
                              • Instruction Fuzzy Hash: 2F916D35E0071ADFCB05DFA4DC949DDFBBAFF89310B148219E815AB2A5EB30A945CB50
                              Function 00FB7092 Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 92075171d81c94e5729de30a308406d8f3d0ac72cd99e5b0ac8cf37d9ce5795d
                              • Instruction ID: df8aaac1078667c7653500182f3aaaa0aff26b1a22f45ea4ecaf010e1e0a24a7
                              • Opcode Fuzzy Hash: 92075171d81c94e5729de30a308406d8f3d0ac72cd99e5b0ac8cf37d9ce5795d
                              • Instruction Fuzzy Hash: 50819F74E00208DFDB15DFA9D894ADDBBF2BF88300F24852AE419AB365DB346945DF50
                              Function 00FB5CC4 Relevance: .2, Instructions: 178COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d920a50b215cfd20bdd12f5c7fd461fccb5b47c68799d3add74672556f76d66
                              • Instruction ID: 81201e21daa3163eb663b331348bc2ade84570cd4b152315f8b74019c2cd0d90
                              • Opcode Fuzzy Hash: 5d920a50b215cfd20bdd12f5c7fd461fccb5b47c68799d3add74672556f76d66
                              • Instruction Fuzzy Hash: BC819074E002089FDB15DFA9D894ADDBBF2FF88300F24852AE419AB365DB346945DF50
                              Function 0727E760 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1ddc25b0827838720c199fb7aaf327ec13d78820f42b94d2ce7ac2e94ba2e72
                              • Instruction ID: fcd35db796bb6ecc6ee5f3bb40997237ddc5147377f18344ff29675c44fb6ed7
                              • Opcode Fuzzy Hash: a1ddc25b0827838720c199fb7aaf327ec13d78820f42b94d2ce7ac2e94ba2e72
                              • Instruction Fuzzy Hash: 06210CB1D14619CBEB18CFAAC94069EFBF2BFC9300F14D0AAC418A7255EB740A06CF50
                              Function 0727E770 Relevance: .1, Instructions: 65COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0541a9db7a062295382139dbc6398634de265782515050e8b21d9e66f57d99b
                              • Instruction ID: d31a1919cf455f705c5bf2867309288bfeabf5fce1fd69dfbfc3ee4f79c8dace
                              • Opcode Fuzzy Hash: f0541a9db7a062295382139dbc6398634de265782515050e8b21d9e66f57d99b
                              • Instruction Fuzzy Hash: E52194B1E146198BEB18CFABC94069EFBF6BFC9300F14D06A8418A7255EB705A468F50
                              Function 00FBD570 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00FBD5FE
                              • GetCurrentThread.KERNEL32 ref: 00FBD63B
                              • GetCurrentProcess.KERNEL32 ref: 00FBD678
                              • GetCurrentThreadId.KERNEL32 ref: 00FBD6D1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: b51d8bd529b6640a4b49060465ea3e39eece911c5496f3c66eedea27e4f8a643
                              • Instruction ID: 759db980bcf3c675f6efb36cf1ffee7e846152836719e0a29a901d61b5821e69
                              • Opcode Fuzzy Hash: b51d8bd529b6640a4b49060465ea3e39eece911c5496f3c66eedea27e4f8a643
                              • Instruction Fuzzy Hash: F35198B09007498FDB14CFAAD888BDEBBF1EF88314F248059E019A73A1D7745944CF66
                              Function 00FBD580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00FBD5FE
                              • GetCurrentThread.KERNEL32 ref: 00FBD63B
                              • GetCurrentProcess.KERNEL32 ref: 00FBD678
                              • GetCurrentThreadId.KERNEL32 ref: 00FBD6D1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 604c99c6a5fa6c43a2cad77f8249558fda4f12687422107ca156d9e18e21cabb
                              • Instruction ID: 25373a84c90210c607240d8c108afc417db63bbe76de678710aeae24d51ab42c
                              • Opcode Fuzzy Hash: 604c99c6a5fa6c43a2cad77f8249558fda4f12687422107ca156d9e18e21cabb
                              • Instruction Fuzzy Hash: 2D5157B09007098FDB18CFAAD988BDEBBF5AF88314F20C019E419A7350D7745944CF66
                              Function 00FBB2DF Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1741 fbb2df-fbb2ff 1742 fbb32b-fbb32f 1741->1742 1743 fbb301-fbb30e call fbaca4 1741->1743 1744 fbb343-fbb384 1742->1744 1745 fbb331-fbb33b 1742->1745 1750 fbb310 1743->1750 1751 fbb324 1743->1751 1752 fbb391-fbb39f 1744->1752 1753 fbb386-fbb38e 1744->1753 1745->1744 1796 fbb316 call fbb579 1750->1796 1797 fbb316 call fbb588 1750->1797 1751->1742 1754 fbb3c3-fbb3c5 1752->1754 1755 fbb3a1-fbb3a6 1752->1755 1753->1752 1757 fbb3c8-fbb3cf 1754->1757 1758 fbb3a8-fbb3af call fbacb0 1755->1758 1759 fbb3b1 1755->1759 1756 fbb31c-fbb31e 1756->1751 1760 fbb460-fbb520 1756->1760 1761 fbb3dc-fbb3e3 1757->1761 1762 fbb3d1-fbb3d9 1757->1762 1764 fbb3b3-fbb3c1 1758->1764 1759->1764 1791 fbb528-fbb553 GetModuleHandleW 1760->1791 1792 fbb522-fbb525 1760->1792 1765 fbb3f0-fbb3f2 call fbacc0 1761->1765 1766 fbb3e5-fbb3ed 1761->1766 1762->1761 1764->1757 1770 fbb3f7-fbb3f9 1765->1770 1766->1765 1772 fbb3fb-fbb403 1770->1772 1773 fbb406-fbb40b 1770->1773 1772->1773 1774 fbb429-fbb436 1773->1774 1775 fbb40d-fbb414 1773->1775 1781 fbb459-fbb45f 1774->1781 1782 fbb438-fbb456 1774->1782 1775->1774 1777 fbb416-fbb426 call fbacd0 call fbace0 1775->1777 1777->1774 1782->1781 1793 fbb55c-fbb570 1791->1793 1794 fbb555-fbb55b 1791->1794 1792->1791 1794->1793 1796->1756 1797->1756
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00FBB546
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 86e87d4188918d8bb0de973b9a806407e2db90de0f94fbd306def2bed989b720
                              • Instruction ID: 78ecdc1515ce62c345cc781a9bdd6ef994feead9ba88ec5da3278ab090da9fd4
                              • Opcode Fuzzy Hash: 86e87d4188918d8bb0de973b9a806407e2db90de0f94fbd306def2bed989b720
                              • Instruction Fuzzy Hash: 7D814370A00B058FDB24DF2AD4417AABBF1FF88310F148A29D48ADBA51D7B5E805DF91
                              Function 00FB590D Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1798 fb590d-fb5914 1799 fb58b2-fb58d9 1798->1799 1800 fb5916 1798->1800 1803 fb58db-fb58e1 1799->1803 1804 fb58e2-fb5903 1799->1804 1801 fb5918-fb59d9 CreateActCtxA 1800->1801 1806 fb59db-fb59e1 1801->1806 1807 fb59e2-fb5a3c 1801->1807 1803->1804 1806->1807 1815 fb5a4b-fb5a4f 1807->1815 1816 fb5a3e-fb5a41 1807->1816 1817 fb5a51-fb5a5d 1815->1817 1818 fb5a60 1815->1818 1816->1815 1817->1818 1820 fb5a61 1818->1820 1820->1820
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00FB59C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 86b0ba17c80c50aeaecc9c9adb24d1b2aba901492192bcdd748dae0d41db565d
                              • Instruction ID: b62f5c9578be9153f3699e1e277f386c000c01ff2915a4e786ca7922e13070fd
                              • Opcode Fuzzy Hash: 86b0ba17c80c50aeaecc9c9adb24d1b2aba901492192bcdd748dae0d41db565d
                              • Instruction Fuzzy Hash: 0651EEB1C00719CFDB20CFAAC8857DEBBF5BB48704F24816AD408AB251D779A945CFA1
                              Function 02DD1DE4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1821 2dd1de4-2dd1e56 1822 2dd1e58-2dd1e5e 1821->1822 1823 2dd1e61-2dd1e68 1821->1823 1822->1823 1824 2dd1e6a-2dd1e70 1823->1824 1825 2dd1e73-2dd1eab 1823->1825 1824->1825 1826 2dd1eb3-2dd1f12 CreateWindowExW 1825->1826 1827 2dd1f1b-2dd1f53 1826->1827 1828 2dd1f14-2dd1f1a 1826->1828 1832 2dd1f55-2dd1f58 1827->1832 1833 2dd1f60 1827->1833 1828->1827 1832->1833 1834 2dd1f61 1833->1834 1834->1834
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DD1F02
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: b2c90a888e50311116b306680298e4d925d2788bd2db1e590a8521dcbb5c22f0
                              • Instruction ID: cd2faae35e9663a431c2d025197e25bd6993809feecc62f24f753d8c5017540c
                              • Opcode Fuzzy Hash: b2c90a888e50311116b306680298e4d925d2788bd2db1e590a8521dcbb5c22f0
                              • Instruction Fuzzy Hash: F851BFB1D10349DFDB14CFAAC884ADEBBB5FF88314F24812AE819AB250D7759945CF90
                              Function 02DD1DF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1835 2dd1df0-2dd1e56 1836 2dd1e58-2dd1e5e 1835->1836 1837 2dd1e61-2dd1e68 1835->1837 1836->1837 1838 2dd1e6a-2dd1e70 1837->1838 1839 2dd1e73-2dd1f12 CreateWindowExW 1837->1839 1838->1839 1841 2dd1f1b-2dd1f53 1839->1841 1842 2dd1f14-2dd1f1a 1839->1842 1846 2dd1f55-2dd1f58 1841->1846 1847 2dd1f60 1841->1847 1842->1841 1846->1847 1848 2dd1f61 1847->1848 1848->1848
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DD1F02
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 7124293fecdb8a488707ebbb89fb831476e24418538679a9f035e61ff01cdfb5
                              • Instruction ID: 6c0f26bf074f47758ba11fbe27c8f39bcde3cf12a21b66a76528cbb543327a02
                              • Opcode Fuzzy Hash: 7124293fecdb8a488707ebbb89fb831476e24418538679a9f035e61ff01cdfb5
                              • Instruction Fuzzy Hash: CF41C1B1D00349DFDB14CFA9C884ADEBBB5FF48314F24812AE418AB250D7719945CF90
                              Function 02DD0CD4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1849 2dd0cd4-2dd43fc 1852 2dd44ac-2dd44cc call 2dd0bac 1849->1852 1853 2dd4402-2dd4407 1849->1853 1860 2dd44cf-2dd44dc 1852->1860 1855 2dd4409-2dd4440 1853->1855 1856 2dd445a-2dd4492 CallWindowProcW 1853->1856 1862 2dd4449-2dd4458 1855->1862 1863 2dd4442-2dd4448 1855->1863 1858 2dd449b-2dd44aa 1856->1858 1859 2dd4494-2dd449a 1856->1859 1858->1860 1859->1858 1862->1860 1863->1862
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 02DD4481
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 927d750b30a4c0022b54d1184a1936aa6d31d3778591b48a91776a54e8d789a6
                              • Instruction ID: 2133130a26af7b31f84c1c7192b6fdc99a9ad2ac3fddaca5ab558d5f959148f0
                              • Opcode Fuzzy Hash: 927d750b30a4c0022b54d1184a1936aa6d31d3778591b48a91776a54e8d789a6
                              • Instruction Fuzzy Hash: F7411AB4A00705DFDB14CF99C888AAABBF5FF88314F24C459D519AB361D7B4A841CFA0
                              Function 00FB44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1866 fb44b4-fb59d9 CreateActCtxA 1869 fb59db-fb59e1 1866->1869 1870 fb59e2-fb5a3c 1866->1870 1869->1870 1877 fb5a4b-fb5a4f 1870->1877 1878 fb5a3e-fb5a41 1870->1878 1879 fb5a51-fb5a5d 1877->1879 1880 fb5a60 1877->1880 1878->1877 1879->1880 1882 fb5a61 1880->1882 1882->1882
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00FB59C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 0f476b147c86e32f2f76f5f2e4c523f623411420491e37e6ddc19d9e540907c3
                              • Instruction ID: bb69df7e6bd04de0f05b9d574060263efb65a8b2bdd3f702e38ca5c12348e649
                              • Opcode Fuzzy Hash: 0f476b147c86e32f2f76f5f2e4c523f623411420491e37e6ddc19d9e540907c3
                              • Instruction Fuzzy Hash: C841D2B1C00719CBDB24CFAAC884BDEBBF5BF88704F20816AD408AB251DB755945CF50
                              Function 07277820 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1883 7277820-7277845 call 7275244 1887 7277847-7277857 1883->1887 1888 727785a-72778ec CreateIconFromResourceEx 1883->1888 1891 72778f5-7277912 1888->1891 1892 72778ee-72778f4 1888->1892 1892->1891
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: 36d832c46c064e18c0fe099d025bf4010295fa15404323165e139fbada8ab3e9
                              • Instruction ID: b6ccea022c06df11dba3075828713527001103b6a8a239770844f5bfaa2202c4
                              • Opcode Fuzzy Hash: 36d832c46c064e18c0fe099d025bf4010295fa15404323165e139fbada8ab3e9
                              • Instruction Fuzzy Hash: EC3187729003899FCB11CFA9C844AEABFF8EF09310F14845AE954AB261C3359954DFA1
                              Function 07275B08 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1895 7275b08-7275b5c 1897 7275b67-7275b76 1895->1897 1898 7275b5e-7275b64 1895->1898 1899 7275b7b-7275bb4 DrawTextExW 1897->1899 1900 7275b78 1897->1900 1898->1897 1901 7275bb6-7275bbc 1899->1901 1902 7275bbd-7275bda 1899->1902 1900->1899 1901->1902
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07275AF5,?,?), ref: 07275BA7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: edbfb91333c12c8e7ae2f3fbf87b0a16eca6a44689a7c7b2c6f466a7f30d5466
                              • Instruction ID: b4d3aa7f4fda2a065204a1debedf69c076d62ffecbfe99e0b9496002aa357f71
                              • Opcode Fuzzy Hash: edbfb91333c12c8e7ae2f3fbf87b0a16eca6a44689a7c7b2c6f466a7f30d5466
                              • Instruction Fuzzy Hash: 8231D2B591124A9FDB10CFAAD880AEEFBF4FB48210F14842AE814A7250D774A954CFA5
                              Function 072750DC Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1905 72750dc-7275b5c 1907 7275b67-7275b76 1905->1907 1908 7275b5e-7275b64 1905->1908 1909 7275b7b-7275bb4 DrawTextExW 1907->1909 1910 7275b78 1907->1910 1908->1907 1911 7275bb6-7275bbc 1909->1911 1912 7275bbd-7275bda 1909->1912 1910->1909 1911->1912
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07275AF5,?,?), ref: 07275BA7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: f6e611ae1ef1077260f636950e7212e6a828eedfcfc1013b82a977526de4c424
                              • Instruction ID: 473213e9391247c56548dfaf5072a6013c3ae05156c8a34506a1506201066324
                              • Opcode Fuzzy Hash: f6e611ae1ef1077260f636950e7212e6a828eedfcfc1013b82a977526de4c424
                              • Instruction Fuzzy Hash: 8631E0B591034A9FDB10CF9AD984AAEFBF4FB48310F14842AE919A7210D374A950CFA4
                              Function 00FBD7C0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1915 fbd7c0-fbd85c DuplicateHandle 1916 fbd85e-fbd864 1915->1916 1917 fbd865-fbd882 1915->1917 1916->1917
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FBD84F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 8092d702dabc356ef278f30d3ade5592cae8d3a13bac024cd88416dcaed6dd03
                              • Instruction ID: f1959b573396c1ff42c701351da3529395f2e0fcbf60150d36d61bbd79390f68
                              • Opcode Fuzzy Hash: 8092d702dabc356ef278f30d3ade5592cae8d3a13bac024cd88416dcaed6dd03
                              • Instruction Fuzzy Hash: 3E21F4B5C002489FDB10CFAAD485ADEBBF5EB48320F14802AE854A7310D375A945CF61
                              Function 053B4E50 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • MonitorFromPoint.USER32(?,?,00000002), ref: 053B4ECF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1427096490.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_53b0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: FromMonitorPoint
                              • String ID:
                              • API String ID: 1566494148-0
                              • Opcode ID: 523d3c93557e9aa789d392ea89abd174884d4a562c5bdcee14e5ef4970a71924
                              • Instruction ID: ab5041476194e5a726079f00d79b37e311051a007a4d2274fae794d891d991fa
                              • Opcode Fuzzy Hash: 523d3c93557e9aa789d392ea89abd174884d4a562c5bdcee14e5ef4970a71924
                              • Instruction Fuzzy Hash: 3F2169B49042088FDB11DF99D805BEEFBF5FB48310F508409EA56A7780CB756904CFA1
                              Function 00FBD7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FBD84F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 10d5c41ebff480233c2c8d2450f8d287f036ab16173bd761919297471fa66525
                              • Instruction ID: 30f7098d2a59bf666ede342bb62a039c04ca2d1852912aaf4f7c157c936c3123
                              • Opcode Fuzzy Hash: 10d5c41ebff480233c2c8d2450f8d287f036ab16173bd761919297471fa66525
                              • Instruction Fuzzy Hash: F221C2B5D002489FDB10CFAAD884ADEBBF8FB48324F14841AE918A7350D374A954CFA5
                              Function 053B4E41 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • MonitorFromPoint.USER32(?,?,00000002), ref: 053B4ECF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1427096490.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_53b0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: FromMonitorPoint
                              • String ID:
                              • API String ID: 1566494148-0
                              • Opcode ID: 125bb4cd0de76b2c32e9f7d3d73030dd17d02e43fdd63d0c57d38fc4a2ded6c9
                              • Instruction ID: a7b589a86f367736999b396bc472c842502d575f22a887c6d3aa43de5461f077
                              • Opcode Fuzzy Hash: 125bb4cd0de76b2c32e9f7d3d73030dd17d02e43fdd63d0c57d38fc4a2ded6c9
                              • Instruction Fuzzy Hash: 022157B59043488FDB22CFA9D845BEEBBB5FB48310F10801AE956A7681C7755905CFA1
                              Function 07275244 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0727783A,?,?,?,?,?), ref: 072778DF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: d27bc88498635fb675020a44904ac209a0d367ddc9e447d8afdeb37aefea7cdc
                              • Instruction ID: dbd486480c54bb0e490a7e915c47ac80d8f0c4635afecbc69863e2bcf23b7c59
                              • Opcode Fuzzy Hash: d27bc88498635fb675020a44904ac209a0d367ddc9e447d8afdeb37aefea7cdc
                              • Instruction Fuzzy Hash: 9C1126B28103499FDB10CFAAC944BDEBBF8EB48310F14841AE915A7250C375A954DFA5
                              Function 00FBB4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00FBB546
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: daf9f68984e1d82838bc149f0687ac0081ec0f8eddabf095a1ea45be84432cd0
                              • Instruction ID: 894e49b9ec2bc8b8f8e4ba64751a1ecfdc4cb285274676e4b66a4f93bddce079
                              • Opcode Fuzzy Hash: daf9f68984e1d82838bc149f0687ac0081ec0f8eddabf095a1ea45be84432cd0
                              • Instruction Fuzzy Hash: AB11E0B6C007498FDB20DF9AD844BDEFBF4AF88324F14841AD429A7610D3B5A545CFA2
                              Function 00F5D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421104386.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f5d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 417099c92dde6b5dae85f30df2db428ecba23f1793d191f2c9f4c2d3ed446def
                              • Instruction ID: 0c33c8714be3fd3bb0cc640e23d26e8a397e8110b92f0bde6d2279a58cdd5a76
                              • Opcode Fuzzy Hash: 417099c92dde6b5dae85f30df2db428ecba23f1793d191f2c9f4c2d3ed446def
                              • Instruction Fuzzy Hash: AC214872904240DFDB25DF10C8C0B26BFA5FB84329F34C169EE050B246C336D85ADBA2
                              Function 00F6D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421156644.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f6d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34997c1b6fbdf1cc466cba6fb21b0c4f5dfdd530e606b7f23d00b5039451ba9d
                              • Instruction ID: 918be0b957078bf4801c988a72ded438f9a162ca7c8916e2a2f644b2f38ee597
                              • Opcode Fuzzy Hash: 34997c1b6fbdf1cc466cba6fb21b0c4f5dfdd530e606b7f23d00b5039451ba9d
                              • Instruction Fuzzy Hash: 4621F6B1E04344EFDB15DF50D9D0B26BBA5FB88324F24C56DE8494B292C336D846DB62
                              Function 00F6D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421156644.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f6d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3026b950cbb13cb4cc243e175871267ceeba5eb6de5cd98649dfc69f9b95ac21
                              • Instruction ID: 041c37862dbede9d90512dc30bf93acd4f552f66f5b98cf372a5f0eb308592e5
                              • Opcode Fuzzy Hash: 3026b950cbb13cb4cc243e175871267ceeba5eb6de5cd98649dfc69f9b95ac21
                              • Instruction Fuzzy Hash: A821F575A04340EFDB14DF10D5C4B26BBA5FB84324F24C569E84A4B24AC337D847DA62
                              Function 00F6D005 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421156644.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f6d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abcc2d4f2734cf93ce7636d2312f42847c5810ebe2fd197d688bf79763a101c9
                              • Instruction ID: fd4ac25cf8cc4952a6e01d929ab7e5d141cad590c39945e77229d116d89cd0cd
                              • Opcode Fuzzy Hash: abcc2d4f2734cf93ce7636d2312f42847c5810ebe2fd197d688bf79763a101c9
                              • Instruction Fuzzy Hash: 312162759093C09FCB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A984ACB62
                              Function 00F5D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421104386.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f5d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                              • Instruction ID: 830fbffced14f54b7b92bd031796dfd4aaf5467ac016f034b2b3a49aa204b0ef
                              • Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                              • Instruction Fuzzy Hash: AA11D376904280CFCB15CF10D5C4B16BF71FB94328F28C6A9DD490B656C336D85ADBA1
                              Function 00F6D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421156644.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f6d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                              • Instruction ID: c6b287204749c0b9a306fe8464a007bdffd5aa333c339c205d426e2775c77032
                              • Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                              • Instruction Fuzzy Hash: 1F119D75A04280DFCB15CF10D9D4B15FBB1FB84328F28C6ADD8494B696C33AD84ADB61
                              Function 00F5D731 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421104386.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f5d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d33c868f6b47d59dd78b88ec7bb681139387318b25a6fe29f349a86c6668be25
                              • Instruction ID: e721a0806cf2e36a1f6d49b8c590dc06284b2b69be054dfc350e3008292a51d1
                              • Opcode Fuzzy Hash: d33c868f6b47d59dd78b88ec7bb681139387318b25a6fe29f349a86c6668be25
                              • Instruction Fuzzy Hash: 4601A77240A3449BE7304B25DD84766BFD8EF85735F24C459EE094A192C3789844DA72
                              Function 00F5D730 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421104386.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_f5d000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a91a50e9c756dc0f45254f387bcd912f6678d2bfef85c32e38730e39e81e4847
                              • Instruction ID: 2b049af3f44b9c2ccb172dfa408f8d2deea3db4ad5e33dbb677c5c215473ec4c
                              • Opcode Fuzzy Hash: a91a50e9c756dc0f45254f387bcd912f6678d2bfef85c32e38730e39e81e4847
                              • Instruction Fuzzy Hash: 27F062724093449FEB208B16D984B66FFD8EB95735F18C55AED084A292C2799C44CA71

                              Non-executed Functions

                              Function 02DD0130 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e16fe832b46168349de2a37703c78eeb9d9e3d1674de886d41d36c76fd1299c7
                              • Instruction ID: b62ba6b3f936cc164a8bde10c9b330d30bcf8ca8b05c429c4c071cfcec655e21
                              • Opcode Fuzzy Hash: e16fe832b46168349de2a37703c78eeb9d9e3d1674de886d41d36c76fd1299c7
                              • Instruction Fuzzy Hash: A31294B24117458BE732DF65EC4C18A3BB1BB81318F50630AD2626B2E9DBB4156BCF48
                              Function 02DDB688 Relevance: .3, Instructions: 273COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc62845081f6ef848465ce6db5285ba9ad4c235408e38d69fd0156e182cb04b9
                              • Instruction ID: 0438743677f7f11eb8681a6621d502a0df44fc445ef78d33c41c859dd7bdbac3
                              • Opcode Fuzzy Hash: dc62845081f6ef848465ce6db5285ba9ad4c235408e38d69fd0156e182cb04b9
                              • Instruction Fuzzy Hash: EBD10431C1075A8ACB11EBA4D9A0699F3B1FFD5200F50CB9AD5093B225EF706AC9CF91
                              Function 00FBE124 Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1421317070.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39da304e5b6fd712b10d3d86228d37ae2315011030411c0c50aecfa309a3d681
                              • Instruction ID: 4833ca35ee2cf16837b429cf1d8136d76c110661402fd52295c2ec479a55461f
                              • Opcode Fuzzy Hash: 39da304e5b6fd712b10d3d86228d37ae2315011030411c0c50aecfa309a3d681
                              • Instruction Fuzzy Hash: EEA16C36E002099FCF15DFB6CC405DEB7B2BF85310B2585AAE801AB265DB35E916DF40
                              Function 02DDB698 Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04118cdd5c57772090b279d04589db42646eb03ef02a4885ed8022a1b49a976a
                              • Instruction ID: b13898efdd048c68584da14a41dce0c27b2ba2b50100dc2d0d9ac2d3ea61d4bb
                              • Opcode Fuzzy Hash: 04118cdd5c57772090b279d04589db42646eb03ef02a4885ed8022a1b49a976a
                              • Instruction Fuzzy Hash: 21D1F431D1075A8ACB11EBA4D960699F3B1FFD5200F50CB9AE5093B224EF706AC9CF91
                              Function 02DDB65F Relevance: .3, Instructions: 263COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f1dbf674f910dedf1d5641d522e0afaa1484a2bc8a7631093fbb2dda16c06fd
                              • Instruction ID: 84797ba6ddc071893e76a523f7a42b44b61899677c8744fd7f8231eeaae84a15
                              • Opcode Fuzzy Hash: 4f1dbf674f910dedf1d5641d522e0afaa1484a2bc8a7631093fbb2dda16c06fd
                              • Instruction Fuzzy Hash: DBD10531D1075A8ACB11EBA4D960699F3B1FFD5300F50CB9AD5097B225EB706AC9CF81
                              Function 0727B678 Relevance: .2, Instructions: 245COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3f371ccb649526f9b10f8ef2bb91957390741cec75e19270daff99d2700b496
                              • Instruction ID: e4cd27e0705a20a5315580bb9f313bfe9a03c3624bed5d35fb3e69a45821839e
                              • Opcode Fuzzy Hash: b3f371ccb649526f9b10f8ef2bb91957390741cec75e19270daff99d2700b496
                              • Instruction Fuzzy Hash: A6C184B5E116188FDB58CF6AC9446DDBBF2BF89301F14C0A9D909AB364DB305A85CF50
                              Function 02DD00D8 Relevance: .2, Instructions: 236COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4427263957e08c4a2f1205f80fe6579a91fa64937a865d808be53994f8523d3
                              • Instruction ID: a24476fea819493c7ee962223e67310c431893918617d68040dcb677f3ecdcf2
                              • Opcode Fuzzy Hash: b4427263957e08c4a2f1205f80fe6579a91fa64937a865d808be53994f8523d3
                              • Instruction Fuzzy Hash: 0BC1F7B28117458BEB22DF65EC4C18B7BB1FB85324F50630AD1626F2D9DBB4146ACF48
                              Function 02DD0122 Relevance: .2, Instructions: 224COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1422610211.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2dd0000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 76ccb0f82ebdd81d4dd4e27feaa34e9a6344270e81fae94dc22c2f790f082034
                              • Instruction ID: 203c170110a661e8b6898346faaa22897350ae5e94b58bae4cfc7b9e22fc451d
                              • Opcode Fuzzy Hash: 76ccb0f82ebdd81d4dd4e27feaa34e9a6344270e81fae94dc22c2f790f082034
                              • Instruction Fuzzy Hash: 4EC1F7B2811745CBE722DF65EC4C18B7BB1BB85324F50630AD1626B2E8DBB4146ACF48
                              Function 0727DBC0 Relevance: .2, Instructions: 188COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6628335df5b23d8b3fc8f7ae2eb67eb25edb76a414fa2c7422dc9116e634190e
                              • Instruction ID: a53b26aa76cad532cc9cb7bdd3cbd31b76b6f54f4e21a4aed93a0d30a0a70728
                              • Opcode Fuzzy Hash: 6628335df5b23d8b3fc8f7ae2eb67eb25edb76a414fa2c7422dc9116e634190e
                              • Instruction Fuzzy Hash: 6C6127B1E2520DCFDF14DFA9D680AEEBBBAEF8A300F109029D419A7251D7B45945CF80
                              Function 0727AF91 Relevance: .2, Instructions: 162COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e61067b7502fe69ef396ad4bc4e628b01034d269eeffdee418fab606735b3a7d
                              • Instruction ID: b148aec660b9d8522c4044c1cc5926ada2821de85b1121e37806101536cc0357
                              • Opcode Fuzzy Hash: e61067b7502fe69ef396ad4bc4e628b01034d269eeffdee418fab606735b3a7d
                              • Instruction Fuzzy Hash: 17611C70E116099FEB08EF7AE95169EBBF2BFC4300F14E529E0149B264EF74590A9F41
                              Function 0727AFA0 Relevance: .2, Instructions: 159COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1429754615.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7270000_Payment Swift CopyMT103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: df9aef3f69a717a6e9d38f5753b2fe198ea83e195e3ba8998c1d7bef8f1d2c25
                              • Instruction ID: cddbb0d12380dae7b8453c683fca7f4ed66fee82a3d0a8cc0f7ab3995bbb1785
                              • Opcode Fuzzy Hash: df9aef3f69a717a6e9d38f5753b2fe198ea83e195e3ba8998c1d7bef8f1d2c25
                              • Instruction Fuzzy Hash: 15612B70E1160D9FEB08EF6AE95169EBBF2BFC8300F14E529D0149B264EF74590A9F41

                              Execution Graph

                              Execution Coverage:11.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:190
                              Total number of Limit Nodes:15
                              execution_graph 47994 7015e90 47996 7015ea9 47994->47996 47997 7015f09 47996->47997 47998 7013d78 47996->47998 47999 7013d9c 47998->47999 48001 7013da3 47998->48001 47999->47997 48000 7013df6 48000->47997 48001->48000 48003 70140b3 GetCurrentThreadId 48001->48003 48187 70172e0 48188 70172f5 48187->48188 48189 7013d78 GetCurrentThreadId 48188->48189 48191 7017306 48188->48191 48190 7017302 48189->48190 48192 6ad5448 48194 6ad5469 48192->48194 48193 6ad5481 48194->48193 48198 6ad5ac8 48194->48198 48201 6ad5ad8 48194->48201 48195 6ad5593 48204 6ad50dc 48198->48204 48202 6ad5af5 48201->48202 48203 6ad50dc DrawTextExW 48201->48203 48202->48195 48203->48202 48205 6ad5b10 DrawTextExW 48204->48205 48207 6ad5af5 48205->48207 48207->48195 48208 e6d580 48209 e6d5c6 GetCurrentProcess 48208->48209 48211 e6d611 48209->48211 48212 e6d618 GetCurrentThread 48209->48212 48211->48212 48213 e6d655 GetCurrentProcess 48212->48213 48215 e6d64e 48212->48215 48214 e6d68b 48213->48214 48216 e6d6b3 GetCurrentThreadId 48214->48216 48215->48213 48217 e6d6e4 48216->48217 48012 6af9404 48013 6af9390 48012->48013 48014 6af93a0 48012->48014 48013->48014 48017 6afaf97 48013->48017 48032 6afaf98 48013->48032 48018 6afaf98 48017->48018 48030 6afafd6 48018->48030 48047 6afb9ef 48018->48047 48051 6afb592 48018->48051 48057 6afb676 48018->48057 48062 6afb5f9 48018->48062 48067 6afba9f 48018->48067 48072 6afb700 48018->48072 48076 6afb521 48018->48076 48081 6afb642 48018->48081 48086 6afb743 48018->48086 48091 6afb5c4 48018->48091 48096 6afb42d 48018->48096 48101 6afb56d 48018->48101 48030->48014 48033 6afafb2 48032->48033 48034 6afafd6 48033->48034 48035 6afb9ef 2 API calls 48033->48035 48036 6afb56d 2 API calls 48033->48036 48037 6afb42d 2 API calls 48033->48037 48038 6afb5c4 2 API calls 48033->48038 48039 6afb743 2 API calls 48033->48039 48040 6afb642 2 API calls 48033->48040 48041 6afb521 2 API calls 48033->48041 48042 6afb700 2 API calls 48033->48042 48043 6afba9f 2 API calls 48033->48043 48044 6afb5f9 2 API calls 48033->48044 48045 6afb676 2 API calls 48033->48045 48046 6afb592 2 API calls 48033->48046 48034->48014 48035->48034 48036->48034 48037->48034 48038->48034 48039->48034 48040->48034 48041->48034 48042->48034 48043->48034 48044->48034 48045->48034 48046->48034 48106 6af86d8 48047->48106 48110 6af86d1 48047->48110 48048 6afba09 48048->48030 48052 6afb596 48051->48052 48053 6afb602 48051->48053 48052->48030 48114 6af8be8 48053->48114 48118 6af8be0 48053->48118 48054 6afb61a 48054->48030 48058 6afb538 48057->48058 48059 6afb54d 48057->48059 48122 6af8628 48058->48122 48126 6af8621 48058->48126 48059->48030 48063 6afb602 48062->48063 48065 6af8be8 VirtualAllocEx 48063->48065 48066 6af8be0 VirtualAllocEx 48063->48066 48064 6afb61a 48064->48030 48065->48064 48066->48064 48068 6afbaa3 48067->48068 48070 6af86d8 Wow64SetThreadContext 48068->48070 48071 6af86d1 Wow64SetThreadContext 48068->48071 48069 6afb48f 48069->48030 48070->48069 48071->48069 48130 6af8ca8 48072->48130 48134 6af8ca0 48072->48134 48073 6afb724 48077 6afb527 48076->48077 48079 6af8628 ResumeThread 48077->48079 48080 6af8621 ResumeThread 48077->48080 48078 6afb54d 48078->48030 48079->48078 48080->48078 48082 6afbb81 48081->48082 48138 6af8d98 48082->48138 48142 6af8d91 48082->48142 48083 6afbba3 48087 6afb750 48086->48087 48089 6af8ca8 WriteProcessMemory 48087->48089 48090 6af8ca0 WriteProcessMemory 48087->48090 48088 6afbc05 48088->48030 48089->48088 48090->48088 48092 6afb5d4 48091->48092 48094 6af8ca8 WriteProcessMemory 48092->48094 48095 6af8ca0 WriteProcessMemory 48092->48095 48093 6afb785 48094->48093 48095->48093 48097 6afb433 48096->48097 48146 6af8f24 48097->48146 48150 6af8f30 48097->48150 48102 6afbaa3 48101->48102 48103 6afb48f 48101->48103 48104 6af86d8 Wow64SetThreadContext 48102->48104 48105 6af86d1 Wow64SetThreadContext 48102->48105 48103->48030 48104->48103 48105->48103 48107 6af871d Wow64SetThreadContext 48106->48107 48109 6af8765 48107->48109 48109->48048 48111 6af86d8 Wow64SetThreadContext 48110->48111 48113 6af8765 48111->48113 48113->48048 48115 6af8c28 VirtualAllocEx 48114->48115 48117 6af8c65 48115->48117 48117->48054 48119 6af8be8 VirtualAllocEx 48118->48119 48121 6af8c65 48119->48121 48121->48054 48123 6af8668 ResumeThread 48122->48123 48125 6af8699 48123->48125 48125->48059 48127 6af8628 ResumeThread 48126->48127 48129 6af8699 48127->48129 48129->48059 48131 6af8cf0 WriteProcessMemory 48130->48131 48133 6af8d47 48131->48133 48133->48073 48135 6af8ca8 WriteProcessMemory 48134->48135 48137 6af8d47 48135->48137 48137->48073 48139 6af8de3 ReadProcessMemory 48138->48139 48141 6af8e27 48139->48141 48141->48083 48143 6af8d98 ReadProcessMemory 48142->48143 48145 6af8e27 48143->48145 48145->48083 48147 6af8f30 CreateProcessA 48146->48147 48149 6af917b 48147->48149 48149->48149 48151 6af8fb9 CreateProcessA 48150->48151 48153 6af917b 48151->48153 48153->48153 48154 6ad6e00 48155 6ad6e3a 48154->48155 48156 6ad6ecb 48155->48156 48157 6ad6eb6 48155->48157 48159 6ad51fc 3 API calls 48156->48159 48162 6ad51fc 48157->48162 48161 6ad6eda 48159->48161 48163 6ad5207 48162->48163 48164 6ad6ec1 48163->48164 48167 6ad7820 48163->48167 48173 6ad7810 48163->48173 48181 6ad5244 48167->48181 48170 6ad7847 48170->48164 48171 6ad78db CreateIconFromResourceEx 48172 6ad78ee 48171->48172 48172->48164 48174 6ad77b5 48173->48174 48175 6ad7813 48173->48175 48174->48164 48176 6ad5244 CreateIconFromResourceEx 48175->48176 48178 6ad783a 48175->48178 48176->48178 48177 6ad7847 48177->48164 48178->48177 48179 6ad78db CreateIconFromResourceEx 48178->48179 48180 6ad78ee 48179->48180 48180->48164 48182 6ad7870 CreateIconFromResourceEx 48181->48182 48184 6ad783a 48182->48184 48184->48170 48184->48171 47973 e64668 47974 e6467a 47973->47974 47975 e64686 47974->47975 47977 e64778 47974->47977 47978 e6479d 47977->47978 47982 e64877 47978->47982 47986 e64888 47978->47986 47984 e648af 47982->47984 47983 e6498c 47983->47983 47984->47983 47990 e644b4 47984->47990 47987 e648af 47986->47987 47988 e6498c 47987->47988 47989 e644b4 CreateActCtxA 47987->47989 47989->47988 47991 e65918 CreateActCtxA 47990->47991 47993 e659db 47991->47993 48004 e6b1f8 48005 e6b207 48004->48005 48007 e6b2df 48004->48007 48008 e6b324 48007->48008 48009 e6b301 48007->48009 48008->48005 48009->48008 48010 e6b528 GetModuleHandleW 48009->48010 48011 e6b555 48010->48011 48011->48005 48185 e6d7c8 DuplicateHandle 48186 e6d85e 48185->48186 48218 6afc1c0 48219 6afc1e6 48218->48219 48220 6afc34b 48218->48220 48219->48220 48222 6afa6c0 48219->48222 48223 6afc440 PostMessageW 48222->48223 48224 6afc4ac 48223->48224 48224->48219

                              Executed Functions

                              Function 00E6D570 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00E6D5FE
                              • GetCurrentThread.KERNEL32 ref: 00E6D63B
                              • GetCurrentProcess.KERNEL32 ref: 00E6D678
                              • GetCurrentThreadId.KERNEL32 ref: 00E6D6D1
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 21c46e452f5bc4d55aa2d839b2c91a82c4f00fdcdbd36b729042f472c41fcd60
                              • Instruction ID: 19932bad25d61e472768547f6e490edd2e56380a154404485b4bb8da207df64c
                              • Opcode Fuzzy Hash: 21c46e452f5bc4d55aa2d839b2c91a82c4f00fdcdbd36b729042f472c41fcd60
                              • Instruction Fuzzy Hash: 1E5199B0D043498FDB15DFAAD9487AEBBF1EF88314F24805AE008B7350D7746844CB66
                              Function 00E6D580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00E6D5FE
                              • GetCurrentThread.KERNEL32 ref: 00E6D63B
                              • GetCurrentProcess.KERNEL32 ref: 00E6D678
                              • GetCurrentThreadId.KERNEL32 ref: 00E6D6D1
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: e693de0eafdec30825b548da092922f9cc92ac2d96e441f5bf963ca876bed12d
                              • Instruction ID: bb613a19eda7bb29e152551438d3d5b51cff19cbf1337c871afcb439c3cd9071
                              • Opcode Fuzzy Hash: e693de0eafdec30825b548da092922f9cc92ac2d96e441f5bf963ca876bed12d
                              • Instruction Fuzzy Hash: 175158B0D047098FDB14DFAAD948BAEBBF1EF88314F208059E419B7350D774A944CB65
                              Function 06AF8F24 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 228 6af8f24-6af8fc5 231 6af8ffe-6af901e 228->231 232 6af8fc7-6af8fd1 228->232 237 6af9057-6af9086 231->237 238 6af9020-6af902a 231->238 232->231 233 6af8fd3-6af8fd5 232->233 235 6af8ff8-6af8ffb 233->235 236 6af8fd7-6af8fe1 233->236 235->231 239 6af8fe5-6af8ff4 236->239 240 6af8fe3 236->240 248 6af90bf-6af9179 CreateProcessA 237->248 249 6af9088-6af9092 237->249 238->237 241 6af902c-6af902e 238->241 239->239 242 6af8ff6 239->242 240->239 243 6af9051-6af9054 241->243 244 6af9030-6af903a 241->244 242->235 243->237 246 6af903e-6af904d 244->246 247 6af903c 244->247 246->246 250 6af904f 246->250 247->246 260 6af917b-6af9181 248->260 261 6af9182-6af9208 248->261 249->248 251 6af9094-6af9096 249->251 250->243 253 6af90b9-6af90bc 251->253 254 6af9098-6af90a2 251->254 253->248 255 6af90a6-6af90b5 254->255 256 6af90a4 254->256 255->255 257 6af90b7 255->257 256->255 257->253 260->261 271 6af920a-6af920e 261->271 272 6af9218-6af921c 261->272 271->272 275 6af9210 271->275 273 6af921e-6af9222 272->273 274 6af922c-6af9230 272->274 273->274 276 6af9224 273->276 277 6af9232-6af9236 274->277 278 6af9240-6af9244 274->278 275->272 276->274 277->278 279 6af9238 277->279 280 6af9256-6af925d 278->280 281 6af9246-6af924c 278->281 279->278 282 6af925f-6af926e 280->282 283 6af9274 280->283 281->280 282->283 284 6af9275 283->284 284->284
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AF9166
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 3c65e9fd2537ffd7809593311a3cb7688ca539d64688a6974e19ddf950c0b1da
                              • Instruction ID: 074430ccc2dc4d5896b5a88f563c8c8dff74ff89c920de62534b520d19a71f98
                              • Opcode Fuzzy Hash: 3c65e9fd2537ffd7809593311a3cb7688ca539d64688a6974e19ddf950c0b1da
                              • Instruction Fuzzy Hash: 44A18C71D103198FEF60DFA9C840BDEBBB2BF48300F1481A9E918A7240DB759981CF92
                              Function 06AF8F30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 286 6af8f30-6af8fc5 288 6af8ffe-6af901e 286->288 289 6af8fc7-6af8fd1 286->289 294 6af9057-6af9086 288->294 295 6af9020-6af902a 288->295 289->288 290 6af8fd3-6af8fd5 289->290 292 6af8ff8-6af8ffb 290->292 293 6af8fd7-6af8fe1 290->293 292->288 296 6af8fe5-6af8ff4 293->296 297 6af8fe3 293->297 305 6af90bf-6af9179 CreateProcessA 294->305 306 6af9088-6af9092 294->306 295->294 298 6af902c-6af902e 295->298 296->296 299 6af8ff6 296->299 297->296 300 6af9051-6af9054 298->300 301 6af9030-6af903a 298->301 299->292 300->294 303 6af903e-6af904d 301->303 304 6af903c 301->304 303->303 307 6af904f 303->307 304->303 317 6af917b-6af9181 305->317 318 6af9182-6af9208 305->318 306->305 308 6af9094-6af9096 306->308 307->300 310 6af90b9-6af90bc 308->310 311 6af9098-6af90a2 308->311 310->305 312 6af90a6-6af90b5 311->312 313 6af90a4 311->313 312->312 314 6af90b7 312->314 313->312 314->310 317->318 328 6af920a-6af920e 318->328 329 6af9218-6af921c 318->329 328->329 332 6af9210 328->332 330 6af921e-6af9222 329->330 331 6af922c-6af9230 329->331 330->331 333 6af9224 330->333 334 6af9232-6af9236 331->334 335 6af9240-6af9244 331->335 332->329 333->331 334->335 336 6af9238 334->336 337 6af9256-6af925d 335->337 338 6af9246-6af924c 335->338 336->335 339 6af925f-6af926e 337->339 340 6af9274 337->340 338->337 339->340 341 6af9275 340->341 341->341
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AF9166
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 2eae9e3a51ed45622c2e6349b41dabb58ef3c7526e7c6e2130aaa72e1e92d9b8
                              • Instruction ID: 29595a6cd5b2ac937a01dabf24d1e92259f446255dabb24b9f4ac9d4c3d0f668
                              • Opcode Fuzzy Hash: 2eae9e3a51ed45622c2e6349b41dabb58ef3c7526e7c6e2130aaa72e1e92d9b8
                              • Instruction Fuzzy Hash: AF917B71D103198FEF60DFA9C840BDEBBB2BF48310F1485A9E918A7240DB759981CF92
                              Function 00E6B2DF Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 343 e6b2df-e6b2ff 344 e6b301-e6b30e call e6aca4 343->344 345 e6b32b-e6b32f 343->345 351 e6b324 344->351 352 e6b310 344->352 347 e6b343-e6b384 345->347 348 e6b331-e6b33b 345->348 354 e6b386-e6b38e 347->354 355 e6b391-e6b39f 347->355 348->347 351->345 398 e6b316 call e6b588 352->398 399 e6b316 call e6b579 352->399 354->355 356 e6b3c3-e6b3c5 355->356 357 e6b3a1-e6b3a6 355->357 362 e6b3c8-e6b3cf 356->362 359 e6b3b1 357->359 360 e6b3a8-e6b3af call e6acb0 357->360 358 e6b31c-e6b31e 358->351 361 e6b460-e6b520 358->361 364 e6b3b3-e6b3c1 359->364 360->364 393 e6b522-e6b525 361->393 394 e6b528-e6b553 GetModuleHandleW 361->394 365 e6b3d1-e6b3d9 362->365 366 e6b3dc-e6b3e3 362->366 364->362 365->366 369 e6b3e5-e6b3ed 366->369 370 e6b3f0-e6b3f2 call e6acc0 366->370 369->370 372 e6b3f7-e6b3f9 370->372 374 e6b406-e6b40b 372->374 375 e6b3fb-e6b403 372->375 376 e6b40d-e6b414 374->376 377 e6b429-e6b436 374->377 375->374 376->377 379 e6b416-e6b426 call e6acd0 call e6ace0 376->379 384 e6b438-e6b456 377->384 385 e6b459-e6b45f 377->385 379->377 384->385 393->394 395 e6b555-e6b55b 394->395 396 e6b55c-e6b570 394->396 395->396 398->358 399->358
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E6B546
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 9ccbfb4ac46a80589abad4e64a31cbc60b4aa84251f5219c10f21edc5a22a2ec
                              • Instruction ID: 7a85bc75ed6856f6c0bebcdaea1a664366b3a31af59ca70e0f1948f3ce3350e4
                              • Opcode Fuzzy Hash: 9ccbfb4ac46a80589abad4e64a31cbc60b4aa84251f5219c10f21edc5a22a2ec
                              • Instruction Fuzzy Hash: 4B815770A40B058FDB24DF29E4417AABBF1FF88344F10892ED08AE7A51DB75E845CB91
                              Function 00E6590D Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 400 e6590d-e659d9 CreateActCtxA 402 e659e2-e65a3c 400->402 403 e659db-e659e1 400->403 410 e65a3e-e65a41 402->410 411 e65a4b-e65a4f 402->411 403->402 410->411 412 e65a60 411->412 413 e65a51-e65a5d 411->413 415 e65a61 412->415 413->412 415->415
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00E659C9
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 9aaa6ec998cf810b12c679f958695cd119558a8cfd51fed8de35ee83584f271a
                              • Instruction ID: f3328c7841f5e8ffe6b4b3de939445ea76b1a60c97f4150c312da9fcb3c67565
                              • Opcode Fuzzy Hash: 9aaa6ec998cf810b12c679f958695cd119558a8cfd51fed8de35ee83584f271a
                              • Instruction Fuzzy Hash: E541E2B1D00719CFDB24CFAAC885BDEBBB6BF48704F20816AD408AB251DB756946CF51
                              Function 00E644B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 416 e644b4-e659d9 CreateActCtxA 419 e659e2-e65a3c 416->419 420 e659db-e659e1 416->420 427 e65a3e-e65a41 419->427 428 e65a4b-e65a4f 419->428 420->419 427->428 429 e65a60 428->429 430 e65a51-e65a5d 428->430 432 e65a61 429->432 430->429 432->432
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00E659C9
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 059cbcbfe5799442e95897f90e2c8d3197c3961ed2311d7bd3dfec10819aaf85
                              • Instruction ID: 77aa5a5849479fc14f62653ef9135f7105967eea88188f7c851bed27d95c5ae8
                              • Opcode Fuzzy Hash: 059cbcbfe5799442e95897f90e2c8d3197c3961ed2311d7bd3dfec10819aaf85
                              • Instruction Fuzzy Hash: AF41D2B1D00719CBDB24CFAAC8847DEBBB6BF88704F20816AD408AB251DB756945CF50
                              Function 06AD7820 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 433 6ad7820-6ad7845 call 6ad5244 436 6ad785a-6ad78ec CreateIconFromResourceEx 433->436 437 6ad7847-6ad7857 433->437 441 6ad78ee-6ad78f4 436->441 442 6ad78f5-6ad7912 436->442 441->442
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464042045.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6ad0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: effe74bcb2a4ea54440183ff318293729e58044a66507ef2bded32e4b6bba907
                              • Instruction ID: bf30f035c48d50a3fa9cfa568bc4a23ab5d6b7650a434f54c0b00cb1f50f24c3
                              • Opcode Fuzzy Hash: effe74bcb2a4ea54440183ff318293729e58044a66507ef2bded32e4b6bba907
                              • Instruction Fuzzy Hash: F431AD719043889FDB11DFA9C844AEEBFF4EF09310F14805AE554AB261C3359850DFA1
                              Function 06AD791B Relevance: 1.6, APIs: 1, Instructions: 82windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 445 6ad791b-6ad7921 446 6ad78c5 445->446 447 6ad7923-6ad7938 445->447 450 6ad78db-6ad78ec CreateIconFromResourceEx 446->450 451 6ad78c7-6ad78d4 446->451 448 6ad793e-6ad7947 447->448 449 6ad79ba-6ad79be 447->449 448->449 456 6ad7949-6ad794f 448->456 452 6ad78ee-6ad78f4 450->452 453 6ad78f5-6ad7912 450->453 451->450 452->453 458 6ad7951 456->458 459 6ad7953-6ad796b 456->459 458->459 461 6ad796d-6ad7974 459->461 462 6ad7976-6ad7978 459->462 463 6ad797a-6ad7997 461->463 462->463 466 6ad79ae-6ad79b0 463->466 467 6ad7999-6ad79a8 463->467 466->449 467->466
                              APIs
                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06AD783A,?,?,?,?,?), ref: 06AD78DF
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464042045.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6ad0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: 5eff563f3b0b96dad25e6981c97598e566beb346c1d46fd67b09817af9d7585e
                              • Instruction ID: fe6b01fd7739c26fa5d7eaf9e320547a15460ad67883970035e60cf8dc393cca
                              • Opcode Fuzzy Hash: 5eff563f3b0b96dad25e6981c97598e566beb346c1d46fd67b09817af9d7585e
                              • Instruction Fuzzy Hash: EF210232A047408FEB65EB69D8447AFFBF9EFC4314F14846AD04E9B211D7749884CBA0
                              Function 06AF8CA0 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 469 6af8ca0-6af8cf6 472 6af8cf8-6af8d04 469->472 473 6af8d06-6af8d45 WriteProcessMemory 469->473 472->473 475 6af8d4e-6af8d7e 473->475 476 6af8d47-6af8d4d 473->476 476->475
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AF8D38
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 2e3b38a8e0d1718d2f33de45b9d5eeddcca962ad9929243640a3330cae736a5e
                              • Instruction ID: 999e6476d8516f55a20105cbd55c0b96c418f2eb507348193136bee724babe6d
                              • Opcode Fuzzy Hash: 2e3b38a8e0d1718d2f33de45b9d5eeddcca962ad9929243640a3330cae736a5e
                              • Instruction Fuzzy Hash: 252127719003199FDF10DFAAC885BEEBBF5FF48310F50842AE918A7250C779A945CBA5
                              Function 06AD5B08 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 480 6ad5b08-6ad5b5c 482 6ad5b5e-6ad5b64 480->482 483 6ad5b67-6ad5b76 480->483 482->483 484 6ad5b78 483->484 485 6ad5b7b-6ad5bb4 DrawTextExW 483->485 484->485 486 6ad5bbd-6ad5bda 485->486 487 6ad5bb6-6ad5bbc 485->487 487->486
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06AD5AF5,?,?), ref: 06AD5BA7
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464042045.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6ad0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: 352dcbc72f11d75b344a28d3be0b5707a0f1b6e73b1fe01d0f79b77af3d4b522
                              • Instruction ID: 2ed1545034530435088ecb308054355ca94840e240becbe8cdcc83f6a75bc0f1
                              • Opcode Fuzzy Hash: 352dcbc72f11d75b344a28d3be0b5707a0f1b6e73b1fe01d0f79b77af3d4b522
                              • Instruction Fuzzy Hash: 1E31E2B5D013499FDB11DF9AD880AEEBBF8FF48210F14842AE819A7250D774A944CFA5
                              Function 06AD50DC Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 490 6ad50dc-6ad5b5c 492 6ad5b5e-6ad5b64 490->492 493 6ad5b67-6ad5b76 490->493 492->493 494 6ad5b78 493->494 495 6ad5b7b-6ad5bb4 DrawTextExW 493->495 494->495 496 6ad5bbd-6ad5bda 495->496 497 6ad5bb6-6ad5bbc 495->497 497->496
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06AD5AF5,?,?), ref: 06AD5BA7
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464042045.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6ad0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: d7a8dc3984eeaa71de7858da8a29d74e27267505c61c36b413e9a624f4089006
                              • Instruction ID: ed2d73894f93fd4e5c3ac0f5851f546a7d61152a57efc06bfce135e46ead7f79
                              • Opcode Fuzzy Hash: d7a8dc3984eeaa71de7858da8a29d74e27267505c61c36b413e9a624f4089006
                              • Instruction Fuzzy Hash: 4331DFB5D002099FDB10DF9AD884AAEBBF8EF48210F14842AE819A7251D774A940CFA4
                              Function 06AF8CA8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 500 6af8ca8-6af8cf6 502 6af8cf8-6af8d04 500->502 503 6af8d06-6af8d45 WriteProcessMemory 500->503 502->503 505 6af8d4e-6af8d7e 503->505 506 6af8d47-6af8d4d 503->506 506->505
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AF8D38
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: ca4392e536e7705cd2510b1a401873c59c407cef70e3891c3da55006057210d0
                              • Instruction ID: de53b48c3b70acda0778e65249323f99d3ccb32eb64e1b4b3ee12e0350045b47
                              • Opcode Fuzzy Hash: ca4392e536e7705cd2510b1a401873c59c407cef70e3891c3da55006057210d0
                              • Instruction Fuzzy Hash: AB2125719003099FDB10DFAAC881BEEBBF5FF48310F10842AE918A7240C778A940CBA5
                              Function 06AF86D1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AF8756
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: f4aadc56a76da5e235f78afceb490d21152ebc183b76be7faf951646ca168dd4
                              • Instruction ID: 79ef33434af9edc4d2dfed2c24fb71719d9e03d94e83435dc0e7315c26dfe935
                              • Opcode Fuzzy Hash: f4aadc56a76da5e235f78afceb490d21152ebc183b76be7faf951646ca168dd4
                              • Instruction Fuzzy Hash: 7A213871D003098FDB10DFAAC8857EFBBF4EF48214F14842AE519A7240CB78A945CFA5
                              Function 06AF8D91 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AF8E18
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: c86093ca916ceb313dfc450bfe0a5b9e0eae59ca5527ee7bcc1a045ba945e2af
                              • Instruction ID: 0c5488d2b83db26c500a455b2dfa2df903bfac5b77bb152b2f8f18eaf0f044db
                              • Opcode Fuzzy Hash: c86093ca916ceb313dfc450bfe0a5b9e0eae59ca5527ee7bcc1a045ba945e2af
                              • Instruction Fuzzy Hash: FA214871C003099FDB10DFAAC880BEEBBF5FF48310F10842AE518A7240C7789540DBA5
                              Function 00E6D7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6D84F
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 514860a21a805f849fe355370b17e86504eef69d954023ca24e191f02b751e97
                              • Instruction ID: ff8d2c90fe67a55dab6a004296b227a96a4788aae8bc7cd9740797000606b8d7
                              • Opcode Fuzzy Hash: 514860a21a805f849fe355370b17e86504eef69d954023ca24e191f02b751e97
                              • Instruction Fuzzy Hash: 0421E3B5D002099FDB10CFAAD884AEEBBF5FB48320F14842AE958A3350D375A944CF65
                              Function 06AF86D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AF8756
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: fba828f476fa4b6404cdea2b80a1916d9f3596cc350a7548be64f5c6593cd437
                              • Instruction ID: 0637ad5d06b3608bd279009e55f99f36ec49fbe9d862ca32b0a747052f23582c
                              • Opcode Fuzzy Hash: fba828f476fa4b6404cdea2b80a1916d9f3596cc350a7548be64f5c6593cd437
                              • Instruction Fuzzy Hash: 29212771D003098FDB14DFAAC8857EFBBF4EF88214F54842AE559A7240CB78A945CFA5
                              Function 06AF8D98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AF8E18
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 8bd98f828a75a63a2842ff24e72be96b16063c58b66b2298db7dd5471fca7126
                              • Instruction ID: 4e726d91ee5c062232a8a4f4c7da898e0e6542fee080ef9e7138da9e03780a53
                              • Opcode Fuzzy Hash: 8bd98f828a75a63a2842ff24e72be96b16063c58b66b2298db7dd5471fca7126
                              • Instruction Fuzzy Hash: 71212571D003499FDB10DFAAC881BEEBBF5FF48310F10842AE518A7240C779A940DBA5
                              Function 00E6D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6D84F
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 1c2efddae829238a7aa1205ee391e2f6adcc808902557f9b6f089d323512d424
                              • Instruction ID: 000ad71ba168902993deac34cd736d50bb0ccfc4c64f88961130424478fad81a
                              • Opcode Fuzzy Hash: 1c2efddae829238a7aa1205ee391e2f6adcc808902557f9b6f089d323512d424
                              • Instruction Fuzzy Hash: BB21C4B5D002489FDB10CFAAD884ADEBBF8FB48310F14841AE918A3350D374A944CF65
                              Function 06AF8BE0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AF8C56
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: d9dfe5b63ee4778d8542d8d1c0545e4debfb49d892323644a8191c6b6de353ff
                              • Instruction ID: 55f26ff31eac9b27747babb71010d678deed82803ca1cb7e00cbff018871390b
                              • Opcode Fuzzy Hash: d9dfe5b63ee4778d8542d8d1c0545e4debfb49d892323644a8191c6b6de353ff
                              • Instruction Fuzzy Hash: D71147719002489FDF14DFAAC844BDFBBF5EF48320F10881AE529A7250C779A541CFA5
                              Function 06AD5244 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06AD783A,?,?,?,?,?), ref: 06AD78DF
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464042045.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6ad0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: ff7650cf7fa63f9399ba814f45caa70133e07495f69cdb2f8e55600f213d5364
                              • Instruction ID: c43caa6e237f8e1cf5a5661ab5691fff8c87ec941d567dd20e0fc6ea20f00924
                              • Opcode Fuzzy Hash: ff7650cf7fa63f9399ba814f45caa70133e07495f69cdb2f8e55600f213d5364
                              • Instruction Fuzzy Hash: 501156B18003499FDB10DFAAC844BEEBBF8EF48320F14801AE915A7210C375A990DFA5
                              Function 06AF8BE8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AF8C56
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: e7918626cd800bc853b6d0fa205faf30b278c2c677ff332bb0207605b9b9cb8e
                              • Instruction ID: 24ab750991420215376c1222d754fdfb91a910d73b2abaf40cbc815115742f24
                              • Opcode Fuzzy Hash: e7918626cd800bc853b6d0fa205faf30b278c2c677ff332bb0207605b9b9cb8e
                              • Instruction Fuzzy Hash: 711126729002499FDB10DFAAC844BDFBBF5EF48310F14881AE529A7250C779A541CFA5
                              Function 06AF8621 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 198a1a9f8529a708378a9a7638bdf8ee3716cdd99f23cff2998ec10218350bb4
                              • Instruction ID: e41b7c5e89c0093271e5117a80810203a70ab0eaa7ba69ed42e15f8197d3efc8
                              • Opcode Fuzzy Hash: 198a1a9f8529a708378a9a7638bdf8ee3716cdd99f23cff2998ec10218350bb4
                              • Instruction Fuzzy Hash: 2C111971D003498FDB14DFAAC84579FFBF8AF48214F14841AE519A7640C7796544CBA5
                              Function 06AFC438 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AFC49D
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: ff849f8f3c6d085615f064a14d2256367741f0fb26abe2ce17212e843a46173e
                              • Instruction ID: cb41de9579ce6ddc9933319aa1756bb6ee498448f1d835cd86d9295df2a22dee
                              • Opcode Fuzzy Hash: ff849f8f3c6d085615f064a14d2256367741f0fb26abe2ce17212e843a46173e
                              • Instruction Fuzzy Hash: 0111F5B58007489FDB50DF9AC988BDEBBF8EB48320F10841AE919A7750C375A544CFA5
                              Function 06AF8628 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 56b952c5c582cdc33bc650b8de8a558b7829a4db8bb534ed7745c980933edf3a
                              • Instruction ID: f3b758c4ba2e81b64b1141bc0cc40c94306bdcbdbbc41cf65ad343d593cee225
                              • Opcode Fuzzy Hash: 56b952c5c582cdc33bc650b8de8a558b7829a4db8bb534ed7745c980933edf3a
                              • Instruction Fuzzy Hash: D4113A71D003498FDB14DFAAC8457DFFBF8AF88214F14841AE519A7240C779A540CFA5
                              Function 00E6B4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E6B546
                              Memory Dump Source
                              • Source File: 00000008.00000002.1458158273.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_e60000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 19e3ef8337b0cf29cd8761363dce69c523c12eb019723edb9dc8e7273ae17e80
                              • Instruction ID: 9c8b311c070e9f2462fa66f7b04860d3043c17cf3389faf2b87218f3167536ac
                              • Opcode Fuzzy Hash: 19e3ef8337b0cf29cd8761363dce69c523c12eb019723edb9dc8e7273ae17e80
                              • Instruction Fuzzy Hash: 6B11E0B6C006498FDB14CF9AD844BDEFBF9AF88314F10841AD429B7610C375A545CFA5
                              Function 06AFA6C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AFC49D
                              Memory Dump Source
                              • Source File: 00000008.00000002.1464185684.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6af0000_AASHNosznogz.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 101c697b33c87140a8dd2a70522a6e6c57ab57e7e8d2f4658fe9429a33a9bf6c
                              • Instruction ID: b41f253433b892bfed614e28ae4115acdb8fb549342ee4d34286587362c9bad9
                              • Opcode Fuzzy Hash: 101c697b33c87140a8dd2a70522a6e6c57ab57e7e8d2f4658fe9429a33a9bf6c
                              • Instruction Fuzzy Hash: 83110AB5800348DFDB20DF9AC844BEFBBF8EB48324F10841AE555A7240C375A944CFA5
                              Function 00BBD3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457831530.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bbd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 882a64886374e6d15a384df4ed350087cc7579c78d42ff8bb0a4ea3558ca2408
                              • Instruction ID: 9a02bfb7ada71a31392cd11b9b1fdbd1715187a5e01129e840b3b110ec6faf2d
                              • Opcode Fuzzy Hash: 882a64886374e6d15a384df4ed350087cc7579c78d42ff8bb0a4ea3558ca2408
                              • Instruction Fuzzy Hash: E8212871504204DFDB04DF10D9C0B66BBE5FB94314F20C5A9E8090B356D37AE856CBA2
                              Function 00BCD01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457898714.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bcd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba8756e8f5f7555102b1ea58a5c7190806b097641c7a8800c7282aa01401e025
                              • Instruction ID: 323f78fd2e9845d7c851eaefbdc52d89176fcce110745894d1b2c3e5c9f40cfb
                              • Opcode Fuzzy Hash: ba8756e8f5f7555102b1ea58a5c7190806b097641c7a8800c7282aa01401e025
                              • Instruction Fuzzy Hash: 6521CF79604240AFDB14DF28D9D4F26BBE5FB84314F20C5BDE84A4B296C336D847CA62
                              Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457898714.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bcd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2824dfe9e0a9df8548c1a4adabc4ba9f2e61e83894cf78ab09032054a869ae3
                              • Instruction ID: 053c9c920eb9b13d088bd57eaf6e14fe43e8e31186b1f416173134a6679e11f5
                              • Opcode Fuzzy Hash: f2824dfe9e0a9df8548c1a4adabc4ba9f2e61e83894cf78ab09032054a869ae3
                              • Instruction Fuzzy Hash: 0321B0B9604244AFDB05DF50D9C4F26BBE5FB84314F24C5BDE8494F292C336D846CA61
                              Function 00BCD006 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457898714.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bcd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de4b61cdfb0a42966473224f0286b82e5f594130864bf74b646cd03c2c3d6d1c
                              • Instruction ID: 51b15f5cc697f345f6670969bd2a2289b884768c392dfb514105d92dd3a6cc0c
                              • Opcode Fuzzy Hash: de4b61cdfb0a42966473224f0286b82e5f594130864bf74b646cd03c2c3d6d1c
                              • Instruction Fuzzy Hash: 1D21A4795093808FCB12CF24D594B15BFB1EB45314F28C5EED8498B697C33A980ACB62
                              Function 00BBD3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457831530.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bbd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                              • Instruction ID: adb9c6c51a1cc0b1e7098439b0b74411b26d8fb6005ae0c3e9a3f9624ce3d331
                              • Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                              • Instruction Fuzzy Hash: 8C11D376504240DFCB15CF10D5C4B66BFB1FB94324F24C6A9D8090B756C37AE85ACBA2
                              Function 00BCD1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457898714.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bcd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                              • Instruction ID: 8a318f8ad8a1a1eeff2e6f15b7b5b6a2403223ef0f0f6706a41f28d5d8fe9c62
                              • Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
                              • Instruction Fuzzy Hash: 9E118B7A604280DFCB15CF10D9C4B15BBA1FB84318F24C6AED8494F696C33AD84ACB61
                              Function 00BBD731 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457831530.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bbd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dfd901e3816e8370edc35d0176d450edc555c748d8913594c11622e072356c13
                              • Instruction ID: f5daae39a109c99ff37bcb409c514f4d27105a92fd83e34ddb49ffb4aca46eb0
                              • Opcode Fuzzy Hash: dfd901e3816e8370edc35d0176d450edc555c748d8913594c11622e072356c13
                              • Instruction Fuzzy Hash: 5C01A771504344ABE7104A27CDC47F7BBD8EF81724F14C4AAED094A282EBBD9C40CAB2
                              Function 00BBD730 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.1457831530.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_bbd000_AASHNosznogz.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a2127aeea4e785360de275ae6136ac1c2f3af6fe12ab83dc6aebdefcb80f91b
                              • Instruction ID: cf714aa8949895775b27e77ba94cd8428302a14555913d0a3526aa858527fab0
                              • Opcode Fuzzy Hash: 9a2127aeea4e785360de275ae6136ac1c2f3af6fe12ab83dc6aebdefcb80f91b
                              • Instruction Fuzzy Hash: 34F0C271404344AFE7108A17CC84BB2FBD8EB80734F18C45AED080A282D2B9AC40CAB1

                              Execution Graph

                              Execution Coverage:1.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:3.6%
                              Total number of Nodes:633
                              Total number of Limit Nodes:17
                              execution_graph 45804 404e06 WaitForSingleObject 45805 404e20 SetEvent CloseHandle 45804->45805 45806 404e37 closesocket 45804->45806 45807 404eb8 45805->45807 45808 404e44 45806->45808 45809 404e5a 45808->45809 45817 4050c4 83 API calls 45808->45817 45811 404e6c WaitForSingleObject 45809->45811 45812 404eae SetEvent CloseHandle 45809->45812 45818 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45811->45818 45812->45807 45814 404e7b SetEvent WaitForSingleObject 45819 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45814->45819 45816 404e93 SetEvent CloseHandle CloseHandle 45816->45812 45817->45809 45818->45814 45819->45816 45820 4457a9 GetLastError 45821 4457c2 45820->45821 45822 4457c8 45820->45822 45846 445ceb 11 API calls 2 library calls 45821->45846 45827 44581f SetLastError 45822->45827 45839 443005 45822->45839 45826 4457e2 45847 443c92 20 API calls _free 45826->45847 45828 445828 45827->45828 45831 4457f7 45831->45826 45833 4457fe 45831->45833 45832 4457e8 45834 445816 SetLastError 45832->45834 45849 445597 20 API calls __Tolower 45833->45849 45834->45828 45836 445809 45850 443c92 20 API calls _free 45836->45850 45838 44580f 45838->45827 45838->45834 45844 443012 ___crtLCMapStringA 45839->45844 45840 443052 45852 43ad91 20 API calls _Atexit 45840->45852 45841 44303d RtlAllocateHeap 45842 443050 45841->45842 45841->45844 45842->45826 45848 445d41 11 API calls 2 library calls 45842->45848 45844->45840 45844->45841 45851 440480 7 API calls 2 library calls 45844->45851 45846->45822 45847->45832 45848->45831 45849->45836 45850->45838 45851->45844 45852->45842 45853 40163e 45854 401646 45853->45854 45855 401649 45853->45855 45856 401688 45855->45856 45858 401676 45855->45858 45861 43229f 45856->45861 45860 43229f new 22 API calls 45858->45860 45859 40167c 45860->45859 45865 4322a4 45861->45865 45863 4322d0 45863->45859 45865->45863 45868 439adb 45865->45868 45875 440480 7 API calls 2 library calls 45865->45875 45876 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45865->45876 45877 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45865->45877 45873 443649 ___crtLCMapStringA 45868->45873 45869 443687 45879 43ad91 20 API calls _Atexit 45869->45879 45871 443672 RtlAllocateHeap 45872 443685 45871->45872 45871->45873 45872->45865 45873->45869 45873->45871 45878 440480 7 API calls 2 library calls 45873->45878 45875->45865 45878->45873 45879->45872 45880 43263c 45881 432648 ___BuildCatchObject 45880->45881 45906 43234b 45881->45906 45883 43264f 45885 432678 45883->45885 46170 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45883->46170 45893 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45885->45893 46171 441763 5 API calls ___crtLCMapStringA 45885->46171 45887 432691 45889 432697 ___BuildCatchObject 45887->45889 46172 441707 5 API calls ___crtLCMapStringA 45887->46172 45890 432717 45917 4328c9 45890->45917 45893->45890 46173 4408e7 35 API calls 6 library calls 45893->46173 45901 432743 45903 43274c 45901->45903 46174 4408c2 28 API calls _Atexit 45901->46174 46175 4324c2 13 API calls 2 library calls 45903->46175 45907 432354 45906->45907 46176 4329da IsProcessorFeaturePresent 45907->46176 45909 432360 46177 436cd1 10 API calls 4 library calls 45909->46177 45911 432365 45916 432369 45911->45916 46178 4415bf 45911->46178 45914 432380 45914->45883 45916->45883 46194 434c30 45917->46194 45919 4328dc GetStartupInfoW 45920 43271d 45919->45920 45921 4416b4 45920->45921 46196 44c239 45921->46196 45923 432726 45926 40d3f0 45923->45926 45924 4416bd 45924->45923 46200 443d25 35 API calls 45924->46200 46202 41a8da LoadLibraryA GetProcAddress 45926->46202 45928 40d40c 46209 40dd83 45928->46209 45930 40d415 46224 4020d6 45930->46224 45933 4020d6 28 API calls 45934 40d433 45933->45934 46230 419d87 45934->46230 45938 40d445 46256 401e6d 45938->46256 45940 40d44e 45941 40d461 45940->45941 45942 40d4b8 45940->45942 46262 40e609 45941->46262 45943 401e45 22 API calls 45942->45943 45945 40d4c6 45943->45945 45949 401e45 22 API calls 45945->45949 45948 40d47f 46277 40f98d 45948->46277 45950 40d4e5 45949->45950 46293 4052fe 45950->46293 45954 40d4f4 46298 408209 45954->46298 45962 40d4a3 45964 401fb8 11 API calls 45962->45964 45966 40d4ac 45964->45966 46165 4407f6 GetModuleHandleW 45966->46165 45967 401fb8 11 API calls 45968 40d520 45967->45968 45969 401e45 22 API calls 45968->45969 45970 40d529 45969->45970 46315 401fa0 45970->46315 45972 40d534 45973 401e45 22 API calls 45972->45973 45974 40d54f 45973->45974 45975 401e45 22 API calls 45974->45975 45976 40d569 45975->45976 45977 40d5cf 45976->45977 46319 40822a 28 API calls 45976->46319 45978 401e45 22 API calls 45977->45978 45984 40d5dc 45978->45984 45980 40d594 45981 401fc2 28 API calls 45980->45981 45982 40d5a0 45981->45982 45985 401fb8 11 API calls 45982->45985 45983 40d650 45989 40d660 CreateMutexA GetLastError 45983->45989 45984->45983 45986 401e45 22 API calls 45984->45986 45987 40d5a9 45985->45987 45988 40d5f5 45986->45988 46320 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45987->46320 45992 40d5fc OpenMutexA 45988->45992 45990 40d987 45989->45990 45991 40d67f 45989->45991 45995 401fb8 11 API calls 45990->45995 46034 40d9ec 45990->46034 45993 40d688 45991->45993 45994 40d68a GetModuleFileNameW 45991->45994 45998 40d622 45992->45998 45999 40d60f WaitForSingleObject CloseHandle 45992->45999 45993->45994 46323 4192ae 33 API calls 45994->46323 46019 40d99a ___scrt_fastfail 45995->46019 45997 40d5c5 45997->45977 46001 40dd0f 45997->46001 46321 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45998->46321 45999->45998 46353 41239a 30 API calls 46001->46353 46002 40d6a0 46003 40d6f5 46002->46003 46005 401e45 22 API calls 46002->46005 46007 401e45 22 API calls 46003->46007 46013 40d6bf 46005->46013 46015 40d720 46007->46015 46008 40dd22 46354 410eda 65 API calls ___scrt_fastfail 46008->46354 46010 40d63b 46010->45983 46322 41239a 30 API calls 46010->46322 46011 40dcfa 46041 40dd6a 46011->46041 46355 402073 28 API calls 46011->46355 46013->46003 46020 40d6f7 46013->46020 46028 40d6db 46013->46028 46014 40d731 46016 401e45 22 API calls 46014->46016 46015->46014 46327 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46015->46327 46026 40d73a 46016->46026 46335 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46019->46335 46325 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 46020->46325 46021 40dd3a 46356 4052dd 28 API calls 46021->46356 46033 401e45 22 API calls 46026->46033 46028->46003 46324 4067a0 36 API calls ___scrt_fastfail 46028->46324 46030 40d70d 46030->46003 46326 4066a6 58 API calls 46030->46326 46036 40d755 46033->46036 46038 401e45 22 API calls 46034->46038 46043 401e45 22 API calls 46036->46043 46039 40da10 46038->46039 46336 402073 28 API calls 46039->46336 46357 413980 161 API calls _strftime 46041->46357 46046 40d76f 46043->46046 46048 401e45 22 API calls 46046->46048 46047 40da22 46337 41215f 14 API calls 46047->46337 46050 40d789 46048->46050 46053 401e45 22 API calls 46050->46053 46051 40da38 46052 401e45 22 API calls 46051->46052 46054 40da44 46052->46054 46057 40d7a3 46053->46057 46338 439867 39 API calls _strftime 46054->46338 46056 40d810 46056->46019 46063 401e45 22 API calls 46056->46063 46094 40d89f ___scrt_fastfail 46056->46094 46057->46056 46059 401e45 22 API calls 46057->46059 46058 40da51 46060 40da7e 46058->46060 46339 41aa4f 81 API calls ___scrt_fastfail 46058->46339 46068 40d7b8 _wcslen 46059->46068 46340 402073 28 API calls 46060->46340 46064 40d831 46063->46064 46070 401e45 22 API calls 46064->46070 46065 40da70 CreateThread 46065->46060 46590 41b212 10 API calls 46065->46590 46066 40da8d 46341 402073 28 API calls 46066->46341 46068->46056 46074 401e45 22 API calls 46068->46074 46069 40da9c 46342 4194da 79 API calls 46069->46342 46072 40d843 46070->46072 46078 401e45 22 API calls 46072->46078 46073 40daa1 46075 401e45 22 API calls 46073->46075 46076 40d7d3 46074->46076 46077 40daad 46075->46077 46079 401e45 22 API calls 46076->46079 46081 401e45 22 API calls 46077->46081 46080 40d855 46078->46080 46082 40d7e8 46079->46082 46084 401e45 22 API calls 46080->46084 46083 40dabf 46081->46083 46328 40c5ed 31 API calls 46082->46328 46087 401e45 22 API calls 46083->46087 46086 40d87e 46084->46086 46092 401e45 22 API calls 46086->46092 46089 40dad5 46087->46089 46088 40d7fb 46329 401ef3 28 API calls 46088->46329 46096 401e45 22 API calls 46089->46096 46091 40d807 46330 401ee9 11 API calls 46091->46330 46093 40d88f 46092->46093 46331 40b871 46 API calls _wcslen 46093->46331 46332 412338 31 API calls 46094->46332 46097 40daf5 46096->46097 46343 439867 39 API calls _strftime 46097->46343 46100 40d942 ctype 46103 401e45 22 API calls 46100->46103 46102 40db02 46104 401e45 22 API calls 46102->46104 46107 40d959 46103->46107 46105 40db0d 46104->46105 46106 401e45 22 API calls 46105->46106 46108 40db1e 46106->46108 46107->46034 46109 401e45 22 API calls 46107->46109 46344 408f1f 163 API calls _wcslen 46108->46344 46110 40d976 46109->46110 46333 419bca 28 API calls 46110->46333 46113 40d982 46334 40de34 88 API calls 46113->46334 46114 40db33 46116 401e45 22 API calls 46114->46116 46118 40db3c 46116->46118 46117 40db83 46119 401e45 22 API calls 46117->46119 46118->46117 46120 43229f new 22 API calls 46118->46120 46125 40db91 46119->46125 46121 40db53 46120->46121 46122 401e45 22 API calls 46121->46122 46123 40db65 46122->46123 46127 40db6c CreateThread 46123->46127 46124 40dbd9 46126 401e45 22 API calls 46124->46126 46125->46124 46128 43229f new 22 API calls 46125->46128 46133 40dbe2 46126->46133 46127->46117 46594 417f6a 101 API calls 2 library calls 46127->46594 46129 40dba5 46128->46129 46130 401e45 22 API calls 46129->46130 46131 40dbb6 46130->46131 46136 40dbbd CreateThread 46131->46136 46132 40dc4c 46134 401e45 22 API calls 46132->46134 46133->46132 46135 401e45 22 API calls 46133->46135 46138 40dc55 46134->46138 46137 40dbfc 46135->46137 46136->46124 46592 417f6a 101 API calls 2 library calls 46136->46592 46140 401e45 22 API calls 46137->46140 46139 40dc99 46138->46139 46142 401e45 22 API calls 46138->46142 46350 4195f8 79 API calls 46139->46350 46143 40dc11 46140->46143 46145 40dc69 46142->46145 46345 40c5a1 31 API calls 46143->46345 46144 40dca2 46351 401ef3 28 API calls 46144->46351 46150 401e45 22 API calls 46145->46150 46147 40dcad 46352 401ee9 11 API calls 46147->46352 46153 40dc7e 46150->46153 46151 40dc24 46346 401ef3 28 API calls 46151->46346 46152 40dcb6 CreateThread 46158 40dce5 46152->46158 46159 40dcd9 CreateThread 46152->46159 46593 40e18d 121 API calls 46152->46593 46348 439867 39 API calls _strftime 46153->46348 46155 40dc30 46347 401ee9 11 API calls 46155->46347 46158->46011 46160 40dcee CreateThread 46158->46160 46159->46158 46595 410b5c 137 API calls 46159->46595 46160->46011 46589 411140 38 API calls ___scrt_fastfail 46160->46589 46162 40dc39 CreateThread 46162->46132 46591 401bc9 49 API calls _strftime 46162->46591 46163 40dc8b 46349 40b0a3 7 API calls 46163->46349 46166 432739 46165->46166 46166->45901 46167 44091f 46166->46167 46597 44069c 46167->46597 46170->45883 46171->45887 46172->45893 46173->45890 46174->45903 46175->45889 46176->45909 46177->45911 46182 44cd48 46178->46182 46181 436cfa 8 API calls 3 library calls 46181->45916 46185 44cd61 46182->46185 46184 432372 46184->45914 46184->46181 46186 432d4b 46185->46186 46187 432d56 IsProcessorFeaturePresent 46186->46187 46188 432d54 46186->46188 46190 432d98 46187->46190 46188->46184 46193 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46190->46193 46192 432e7b 46192->46184 46193->46192 46195 434c47 46194->46195 46195->45919 46195->46195 46197 44c24b 46196->46197 46198 44c242 46196->46198 46197->45924 46201 44c138 48 API calls 4 library calls 46198->46201 46200->45924 46201->46197 46203 41a919 LoadLibraryA GetProcAddress 46202->46203 46204 41a909 GetModuleHandleA GetProcAddress 46202->46204 46205 41a947 GetModuleHandleA GetProcAddress 46203->46205 46206 41a937 GetModuleHandleA GetProcAddress 46203->46206 46204->46203 46207 41a973 24 API calls 46205->46207 46208 41a95f GetModuleHandleA GetProcAddress 46205->46208 46206->46205 46207->45928 46208->46207 46358 419493 FindResourceA 46209->46358 46212 439adb _Yarn 21 API calls 46213 40ddad ctype 46212->46213 46361 402097 46213->46361 46216 401fc2 28 API calls 46217 40ddd3 46216->46217 46218 401fb8 11 API calls 46217->46218 46219 40dddc 46218->46219 46220 439adb _Yarn 21 API calls 46219->46220 46221 40dded ctype 46220->46221 46367 4062ee 46221->46367 46223 40de20 46223->45930 46225 4020ec 46224->46225 46226 4023ae 11 API calls 46225->46226 46227 402106 46226->46227 46228 402549 28 API calls 46227->46228 46229 402114 46228->46229 46229->45933 46419 4020bf 46230->46419 46232 401fb8 11 API calls 46233 419e3c 46232->46233 46235 401fb8 11 API calls 46233->46235 46234 419e0c 46425 404182 28 API calls 46234->46425 46237 419e44 46235->46237 46240 401fb8 11 API calls 46237->46240 46239 419e18 46241 401fc2 28 API calls 46239->46241 46243 40d43c 46240->46243 46244 419e21 46241->46244 46242 401fc2 28 API calls 46245 419d9a 46242->46245 46252 40e563 46243->46252 46246 401fb8 11 API calls 46244->46246 46245->46234 46245->46242 46247 401fb8 11 API calls 46245->46247 46251 419e0a 46245->46251 46423 404182 28 API calls 46245->46423 46424 41ab9a 28 API calls 46245->46424 46248 419e29 46246->46248 46247->46245 46426 41ab9a 28 API calls 46248->46426 46251->46232 46253 40e56f 46252->46253 46255 40e576 46252->46255 46427 402143 11 API calls 46253->46427 46255->45938 46257 402143 46256->46257 46261 40217f 46257->46261 46428 402710 11 API calls 46257->46428 46259 402164 46429 4026f2 11 API calls std::_Deallocate 46259->46429 46261->45940 46263 40e624 46262->46263 46430 40f57c 46263->46430 46269 40e663 46270 40d473 46269->46270 46446 40f663 46269->46446 46272 401e45 46270->46272 46273 401e4d 46272->46273 46275 401e55 46273->46275 46541 402138 22 API calls 46273->46541 46275->45948 46279 40f997 __EH_prolog 46277->46279 46542 40fcfb 46279->46542 46280 40f663 36 API calls 46281 40fb90 46280->46281 46546 40fce0 46281->46546 46283 40d491 46285 40e5ba 46283->46285 46284 40fa1a 46284->46280 46552 40f4c6 46285->46552 46288 40d49a 46290 40dd70 46288->46290 46289 40f663 36 API calls 46289->46288 46562 40e5da 70 API calls 46290->46562 46292 40dd7b 46294 4020bf 11 API calls 46293->46294 46295 40530a 46294->46295 46563 403280 46295->46563 46297 405326 46297->45954 46567 4051cf 46298->46567 46300 408217 46571 402035 46300->46571 46303 401fc2 46304 401fd1 46303->46304 46311 402019 46303->46311 46305 4023ae 11 API calls 46304->46305 46306 401fda 46305->46306 46307 40201c 46306->46307 46309 401ff5 46306->46309 46308 40265a 11 API calls 46307->46308 46308->46311 46586 403078 28 API calls 46309->46586 46312 401fb8 46311->46312 46313 4023ae 11 API calls 46312->46313 46314 401fc1 46313->46314 46314->45967 46316 401fb2 46315->46316 46317 401fa9 46315->46317 46316->45972 46587 4025c0 28 API calls 46317->46587 46319->45980 46320->45997 46321->46010 46322->45983 46323->46002 46324->46003 46325->46030 46326->46003 46327->46014 46328->46088 46329->46091 46330->46056 46331->46094 46332->46100 46333->46113 46334->45990 46335->46034 46336->46047 46337->46051 46338->46058 46339->46065 46340->46066 46341->46069 46342->46073 46343->46102 46344->46114 46345->46151 46346->46155 46347->46162 46348->46163 46349->46139 46350->46144 46351->46147 46352->46152 46353->46008 46355->46021 46588 418ccd 103 API calls 46357->46588 46359 4194b0 LoadResource LockResource SizeofResource 46358->46359 46360 40dd9e 46358->46360 46359->46360 46360->46212 46362 40209f 46361->46362 46370 4023ae 46362->46370 46364 4020aa 46374 4024ea 46364->46374 46366 4020b9 46366->46216 46368 402097 28 API calls 46367->46368 46369 406302 46368->46369 46369->46223 46371 402408 46370->46371 46372 4023b8 46370->46372 46371->46364 46372->46371 46381 402787 11 API calls std::_Deallocate 46372->46381 46375 4024fa 46374->46375 46376 402500 46375->46376 46377 402515 46375->46377 46382 402549 46376->46382 46392 4028c8 46377->46392 46380 402513 46380->46366 46381->46371 46403 402868 46382->46403 46384 40255d 46385 402572 46384->46385 46386 402587 46384->46386 46408 402a14 22 API calls 46385->46408 46388 4028c8 28 API calls 46386->46388 46391 402585 46388->46391 46389 40257b 46409 4029ba 22 API calls 46389->46409 46391->46380 46393 4028d1 46392->46393 46394 402933 46393->46394 46395 4028db 46393->46395 46417 402884 22 API calls 46394->46417 46398 4028e4 46395->46398 46401 4028f7 46395->46401 46411 402c8e 46398->46411 46399 4028f5 46399->46380 46401->46399 46402 4023ae 11 API calls 46401->46402 46402->46399 46404 402870 46403->46404 46405 402878 46404->46405 46410 402c83 22 API calls 46404->46410 46405->46384 46408->46389 46409->46391 46412 402c98 __EH_prolog 46411->46412 46418 402e34 22 API calls 46412->46418 46414 4023ae 11 API calls 46416 402d72 46414->46416 46415 402d04 46415->46414 46416->46399 46418->46415 46420 4020c7 46419->46420 46421 4023ae 11 API calls 46420->46421 46422 4020d2 46421->46422 46422->46245 46423->46245 46424->46245 46425->46239 46426->46251 46427->46255 46428->46259 46429->46261 46450 40f821 46430->46450 46433 40f55d 46528 40f7fb 46433->46528 46435 40f565 46533 40f44c 46435->46533 46437 40e651 46438 40f502 46437->46438 46439 40f510 46438->46439 46445 40f53f std::ios_base::_Ios_base_dtor 46438->46445 46538 4335cb 65 API calls 46439->46538 46441 40f51d 46442 40f44c 20 API calls 46441->46442 46441->46445 46443 40f52e 46442->46443 46539 40fbc8 77 API calls 6 library calls 46443->46539 46445->46269 46447 40f66b 46446->46447 46448 40f67e 46446->46448 46540 40f854 36 API calls 46447->46540 46448->46270 46457 40d2ce 46450->46457 46454 40f83c 46455 40e631 46454->46455 46456 40f663 36 API calls 46454->46456 46455->46433 46456->46455 46458 40d2ff 46457->46458 46459 43229f new 22 API calls 46458->46459 46460 40d306 46459->46460 46467 40cb7a 46460->46467 46463 40f887 46464 40f896 46463->46464 46502 40f8b7 46464->46502 46466 40f89c std::ios_base::_Ios_base_dtor 46466->46454 46470 4332ea 46467->46470 46469 40cb84 46469->46463 46471 4332f6 __EH_prolog3 46470->46471 46482 4330a5 46471->46482 46474 433332 46488 4330fd 46474->46488 46476 433314 46496 43347f 37 API calls _Atexit 46476->46496 46478 433370 std::locale::_Locimp::_Locimp_dtor 46478->46469 46480 43331c 46497 433240 21 API calls 2 library calls 46480->46497 46483 4330b4 46482->46483 46484 4330bb 46482->46484 46498 442df9 EnterCriticalSection _Atexit 46483->46498 46485 4330b9 46484->46485 46499 43393c EnterCriticalSection 46484->46499 46485->46474 46495 43345a 22 API calls 2 library calls 46485->46495 46489 433107 46488->46489 46490 442e02 46488->46490 46491 43311a 46489->46491 46500 43394a LeaveCriticalSection 46489->46500 46501 442de2 LeaveCriticalSection 46490->46501 46491->46478 46494 442e09 46494->46478 46495->46476 46496->46480 46497->46474 46498->46485 46499->46485 46500->46491 46501->46494 46503 4330a5 std::_Lockit::_Lockit 2 API calls 46502->46503 46504 40f8c9 46503->46504 46523 40cae9 4 API calls 2 library calls 46504->46523 46506 40f8dc 46507 40f8ef 46506->46507 46524 40ccd4 77 API calls new 46506->46524 46508 4330fd std::_Lockit::~_Lockit 2 API calls 46507->46508 46510 40f925 46508->46510 46510->46466 46511 40f8ff 46512 40f906 46511->46512 46513 40f92d 46511->46513 46525 4332b6 22 API calls new 46512->46525 46526 436ec6 RaiseException 46513->46526 46516 40f943 46517 40f984 46516->46517 46527 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 46516->46527 46517->46466 46523->46506 46524->46511 46525->46507 46526->46516 46529 43229f new 22 API calls 46528->46529 46530 40f80b 46529->46530 46531 40cb7a 41 API calls 46530->46531 46532 40f813 46531->46532 46532->46435 46534 40f469 46533->46534 46535 40f48b 46534->46535 46537 43aa1a 20 API calls 2 library calls 46534->46537 46535->46437 46537->46535 46538->46441 46539->46445 46540->46448 46544 40fd0e 46542->46544 46543 40fd3c 46543->46284 46544->46543 46550 40fe14 36 API calls 46544->46550 46547 40fce8 46546->46547 46549 40fcf3 46547->46549 46551 40fe79 36 API calls __EH_prolog 46547->46551 46549->46283 46550->46543 46551->46549 46553 40f4d4 46552->46553 46559 40f4d0 46552->46559 46560 40f30b 67 API calls 46553->46560 46555 40f4d9 46561 43a716 64 API calls 3 library calls 46555->46561 46556 40f44c 20 API calls 46558 40e5c5 46556->46558 46558->46288 46558->46289 46559->46556 46560->46555 46561->46559 46562->46292 46565 40328a 46563->46565 46564 4032a9 46564->46297 46565->46564 46566 4028c8 28 API calls 46565->46566 46566->46564 46568 4051db 46567->46568 46577 405254 46568->46577 46570 4051e8 46570->46300 46572 402041 46571->46572 46573 4023ae 11 API calls 46572->46573 46574 40205b 46573->46574 46582 40265a 46574->46582 46578 405262 46577->46578 46581 402884 22 API calls 46578->46581 46583 40266b 46582->46583 46584 4023ae 11 API calls 46583->46584 46585 40206d 46584->46585 46585->46303 46586->46311 46587->46316 46596 411253 61 API calls 46595->46596 46598 4406a8 _Atexit 46597->46598 46599 4406c0 46598->46599 46600 4407f6 _Atexit GetModuleHandleW 46598->46600 46619 442d9a EnterCriticalSection 46599->46619 46602 4406b4 46600->46602 46602->46599 46631 44083a GetModuleHandleExW 46602->46631 46603 440766 46620 4407a6 46603->46620 46607 44073d 46610 440755 46607->46610 46640 441707 5 API calls ___crtLCMapStringA 46607->46640 46608 440783 46623 4407b5 46608->46623 46609 4407af 46642 454909 5 API calls ___crtLCMapStringA 46609->46642 46641 441707 5 API calls ___crtLCMapStringA 46610->46641 46616 4406c8 46616->46603 46616->46607 46639 441450 20 API calls _Atexit 46616->46639 46619->46616 46643 442de2 LeaveCriticalSection 46620->46643 46622 44077f 46622->46608 46622->46609 46644 4461f8 46623->46644 46626 4407e3 46629 44083a _Atexit 8 API calls 46626->46629 46627 4407c3 GetPEB 46627->46626 46628 4407d3 GetCurrentProcess TerminateProcess 46627->46628 46628->46626 46630 4407eb ExitProcess 46629->46630 46632 440864 GetProcAddress 46631->46632 46633 440887 46631->46633 46636 440879 46632->46636 46634 440896 46633->46634 46635 44088d FreeLibrary 46633->46635 46637 432d4b ___crtLCMapStringA 5 API calls 46634->46637 46635->46634 46636->46633 46638 4408a0 46637->46638 46638->46599 46639->46607 46640->46610 46641->46603 46643->46622 46645 44621d 46644->46645 46649 446213 46644->46649 46650 4459f9 46645->46650 46647 432d4b ___crtLCMapStringA 5 API calls 46648 4407bf 46647->46648 46648->46626 46648->46627 46649->46647 46651 445a25 46650->46651 46652 445a29 46650->46652 46651->46652 46655 445a49 46651->46655 46657 445a95 46651->46657 46652->46649 46654 445a55 GetProcAddress 46656 445a65 __crt_fast_encode_pointer 46654->46656 46655->46652 46655->46654 46656->46652 46658 445ab6 LoadLibraryExW 46657->46658 46663 445aab 46657->46663 46659 445ad3 GetLastError 46658->46659 46660 445aeb 46658->46660 46659->46660 46661 445ade LoadLibraryExW 46659->46661 46662 445b02 FreeLibrary 46660->46662 46660->46663 46661->46660 46662->46663 46663->46651

                              Executed Functions

                              Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                              • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                              • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                              • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                              • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                              • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule$LibraryLoad
                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                              • API String ID: 551388010-2474455403
                              • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                              • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                              • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                              • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                              Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 473 4407b5-4407c1 call 4461f8 476 4407e3-4407ef call 44083a ExitProcess 473->476 477 4407c3-4407d1 GetPEB 473->477 477->476 478 4407d3-4407dd GetCurrentProcess TerminateProcess 477->478 478->476
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                              • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                              • ExitProcess.KERNEL32 ref: 004407EF
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                              • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                              • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                              • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                              Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 103 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->103 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 99 40d622-40d63f call 401f8b call 411f34 81->99 100 40d60f-40d61c WaitForSingleObject CloseHandle 81->100 108 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->108 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 106 40d6b0-40d6b4 95->106 107 40d6a9-40d6ab 95->107 122 40d651 99->122 123 40d641-40d650 call 401f8b call 41239a 99->123 100->99 136 40dd2c 103->136 112 40d6b6-40d6c9 call 401e45 call 401f8b 106->112 113 40d717-40d72a call 401e45 call 401f8b 106->113 107->106 179 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 108->179 112->113 140 40d6cb-40d6d1 112->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 113->142 143 40d72c call 40e501 113->143 122->80 123->122 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->113 147 40d6d3-40d6d9 140->147 188 40dd6a-40dd6f call 413980 141->188 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 152 40d6f7-40d710 call 401f8b call 411eea 147->152 153 40d6db-40d6ee call 4060ea 147->153 152->113 178 40d712 call 4066a6 152->178 153->113 169 40d6f0-40d6f5 call 4067a0 153->169 169->113 178->113 221 40da61-40da63 179->221 222 40da65-40da67 179->222 216->108 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->250 227 40d8a7-40d8b1 call 408093 220->227 228 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->228 223 40da6b-40da7c call 41aa4f CreateThread 221->223 224 40da69 222->224 225 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->225 223->225 224->223 349 40db83-40db9a call 401e45 call 401f8b 225->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 225->350 237 40d8b6-40d8de call 40245c call 43254d 227->237 228->237 257 40d8f0 237->257 258 40d8e0-40d8ee call 434c30 237->258 250->216 260 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 257->260 258->260 260->179 332 40d96d-40d98c call 401e45 call 419bca call 40de34 260->332 332->179 346 40d98e-40d990 332->346 346->90 360 40dbd9-40dbeb call 401e45 call 401f8b 349->360 361 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->361 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 360->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 360->372 361->360 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 405 40dcc1 384->405 406 40dcc4-40dcd7 CreateThread 384->406 405->406 410 40dce5-40dcec 406->410 411 40dcd9-40dce3 CreateThread 406->411 412 40dcfa-40dd01 410->412 413 40dcee-40dcf8 CreateThread 410->413 411->410 412->136 416 40dd03-40dd06 412->416 413->412 416->188 418 40dd08-40dd0d 416->418 418->141
                              APIs
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                              • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                              • API String ID: 1529173511-1365410817
                              • Opcode ID: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                              • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                              • Opcode Fuzzy Hash: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                              • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                              Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                              • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                              • closesocket.WS2_32(?), ref: 00404E3A
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                              • String ID:
                              • API String ID: 3658366068-0
                              • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                              • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                              • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                              • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                              Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 437 4457a9-4457c0 GetLastError 438 4457c2-4457cc call 445ceb 437->438 439 4457ce-4457d5 call 443005 437->439 438->439 446 44581f-445826 SetLastError 438->446 442 4457da-4457e0 439->442 444 4457e2 442->444 445 4457eb-4457f9 call 445d41 442->445 448 4457e3-4457e9 call 443c92 444->448 453 4457fe-445814 call 445597 call 443c92 445->453 454 4457fb-4457fc 445->454 447 445828-44582d 446->447 455 445816-44581d SetLastError 448->455 453->446 453->455 454->448 455->447
                              APIs
                              • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                              • _free.LIBCMT ref: 004457E3
                              • _free.LIBCMT ref: 0044580A
                              • SetLastError.KERNEL32(00000000), ref: 00445817
                              • SetLastError.KERNEL32(00000000), ref: 00445820
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                              • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                              • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                              • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                              Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 460 445a95-445aa9 461 445ab6-445ad1 LoadLibraryExW 460->461 462 445aab-445ab4 460->462 464 445ad3-445adc GetLastError 461->464 465 445afa-445b00 461->465 463 445b0d-445b0f 462->463 466 445ade-445ae9 LoadLibraryExW 464->466 467 445aeb 464->467 468 445b02-445b03 FreeLibrary 465->468 469 445b09 465->469 470 445aed-445aef 466->470 467->470 468->469 471 445b0b-445b0c 469->471 470->465 472 445af1-445af8 470->472 471->463 472->471
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                              • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID:
                              • API String ID: 3177248105-0
                              • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                              • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                              • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                              • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                              Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 481 4459f9-445a23 482 445a25-445a27 481->482 483 445a8e 481->483 484 445a2d-445a33 482->484 485 445a29-445a2b 482->485 486 445a90-445a94 483->486 487 445a35-445a37 call 445a95 484->487 488 445a4f 484->488 485->486 491 445a3c-445a3f 487->491 489 445a51-445a53 488->489 492 445a55-445a63 GetProcAddress 489->492 493 445a7e-445a8c 489->493 494 445a70-445a76 491->494 495 445a41-445a47 491->495 496 445a65-445a6e call 432123 492->496 497 445a78 492->497 493->483 494->489 495->487 498 445a49 495->498 496->485 497->493 498->488
                              APIs
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc__crt_fast_encode_pointer
                              • String ID:
                              • API String ID: 2279764990-0
                              • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                              • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                              • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                              • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                              Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 501 40163e-401644 502 401646-401648 501->502 503 401649-401654 501->503 504 401656 503->504 505 40165b-401665 503->505 504->505 506 401667-40166d 505->506 507 401688-401689 call 43229f 505->507 506->507 508 40166f-401674 506->508 511 40168e-40168f 507->511 508->504 510 401676-401686 call 43229f 508->510 513 401691-401693 510->513 511->513
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                              • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                              • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                              • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                              Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 515 443005-443010 516 443012-44301c 515->516 517 44301e-443024 515->517 516->517 518 443052-44305d call 43ad91 516->518 519 443026-443027 517->519 520 44303d-44304e RtlAllocateHeap 517->520 525 44305f-443061 518->525 519->520 521 443050 520->521 522 443029-443030 call 442a57 520->522 521->525 522->518 528 443032-44303b call 440480 522->528 528->518 528->520
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                              • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                              • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                              • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                              Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 531 443649-443655 532 443687-443692 call 43ad91 531->532 533 443657-443659 531->533 540 443694-443696 532->540 535 443672-443683 RtlAllocateHeap 533->535 536 44365b-44365c 533->536 537 443685 535->537 538 44365e-443665 call 442a57 535->538 536->535 537->540 538->532 543 443667-443670 call 440480 538->543 543->532 543->535
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                              • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                              • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                              • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                              Non-executed Functions

                              Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                              • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                              • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                              • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                              • API String ID: 3018269243-1736093966
                              • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                              • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                              • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                              • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                              Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 00406D4A
                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                              • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                              • DeleteFileA.KERNEL32(?), ref: 0040768E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                              • API String ID: 1385304114-1507758755
                              • Opcode ID: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                              • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                              • Opcode Fuzzy Hash: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                              • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                              Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 004056C6
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • __Init_thread_footer.LIBCMT ref: 00405703
                              • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                              • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                              • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                              • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                              • CloseHandle.KERNEL32 ref: 00405A03
                              • CloseHandle.KERNEL32 ref: 00405A0B
                              • CloseHandle.KERNEL32 ref: 00405A1D
                              • CloseHandle.KERNEL32 ref: 00405A25
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                              • String ID: SystemDrive$cmd.exe
                              • API String ID: 2994406822-3633465311
                              • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                              • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                              • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                              • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                              Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                              • FindClose.KERNEL32(00000000), ref: 0040AB0A
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                              • FindClose.KERNEL32(00000000), ref: 0040AC53
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                              • API String ID: 1164774033-3681987949
                              • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                              • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                              • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                              • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                              Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                              • FindClose.KERNEL32(00000000), ref: 0040AD0A
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                              • FindClose.KERNEL32(00000000), ref: 0040ADF0
                              • FindClose.KERNEL32(00000000), ref: 0040AE11
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Close$File$FirstNext
                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 3527384056-432212279
                              • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                              • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                              • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                              • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                              Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 00414EC2
                              • EmptyClipboard.USER32 ref: 00414ED0
                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                              • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                              • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                              • CloseClipboard.USER32 ref: 00414F55
                              • OpenClipboard.USER32 ref: 00414F5C
                              • GetClipboardData.USER32(0000000D), ref: 00414F6C
                              • GlobalLock.KERNEL32(00000000), ref: 00414F75
                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                              • CloseClipboard.USER32 ref: 00414F84
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                              • String ID:
                              • API String ID: 3520204547-0
                              • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                              • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                              • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                              • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                              Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                              • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                              • String ID: 05Wu`Wu
                              • API String ID: 2341273852-3643370980
                              • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                              • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                              • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                              • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                              Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0$1$2$3$4$5$6$7
                              • API String ID: 0-3177665633
                              • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                              • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                              • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                              • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                              Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                              • GetLastError.KERNEL32 ref: 00418771
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                              • String ID:
                              • API String ID: 3587775597-0
                              • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                              • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                              • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                              • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                              Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                              • FindClose.KERNEL32(00000000), ref: 0040B3BE
                              • FindClose.KERNEL32(00000000), ref: 0040B3E9
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 1164774033-405221262
                              • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                              • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                              • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                              • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                              Function 00409340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                              • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                              • GetLastError.KERNEL32 ref: 00409375
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                              • TranslateMessage.USER32(?), ref: 004093D2
                              • DispatchMessageA.USER32(?), ref: 004093DD
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                              • String ID: Keylogger initialization failure: error $`Wu
                              • API String ID: 3219506041-303027793
                              • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                              • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                              • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                              • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                              Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                              • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                              • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                              • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                              • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                              • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                              • String ID: $.F
                              • API String ID: 3950776272-1421728423
                              • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                              • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                              • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                              • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                              Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                              • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressCloseCreateLibraryLoadProcsend
                              • String ID: SHDeleteKeyW$Shlwapi.dll
                              • API String ID: 2127411465-314212984
                              • Opcode ID: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                              • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                              • Opcode Fuzzy Hash: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                              • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                              Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00446741
                              • _free.LIBCMT ref: 00446765
                              • _free.LIBCMT ref: 004468EC
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                              • _free.LIBCMT ref: 00446AB8
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID:
                              • API String ID: 314583886-0
                              • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                              • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                              • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                              • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                              Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                              • Sleep.KERNEL32(00000BB8), ref: 0040E243
                              • ExitProcess.KERNEL32 ref: 0040E2B4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseExitOpenProcessQuerySleepValue
                              • String ID: 3.8.0 Pro$override$pth_unenc$!G
                              • API String ID: 2281282204-1386060931
                              • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                              • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                              • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                              • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                              Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                              • InternetCloseHandle.WININET(00000000), ref: 00419407
                              • InternetCloseHandle.WININET(00000000), ref: 0041940A
                              Strings
                              • http://geoplugin.net/json.gp, xrefs: 004193A2
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleOpen$FileRead
                              • String ID: http://geoplugin.net/json.gp
                              • API String ID: 3121278467-91888290
                              • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                              • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                              • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                              • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                              Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                              • GetLastError.KERNEL32 ref: 0040A999
                              Strings
                              • [Chrome StoredLogins not found], xrefs: 0040A9B3
                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                              • UserProfile, xrefs: 0040A95F
                              • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              • API String ID: 2018770650-1062637481
                              • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                              • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                              • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                              • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                              Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                              • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                              • GetLastError.KERNEL32 ref: 00415CDB
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3534403312-3733053543
                              • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                              • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                              • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                              • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                              Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00408393
                                • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                              • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                              • FindClose.KERNEL32(00000000), ref: 004086F4
                                • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                              • String ID:
                              • API String ID: 1824512719-0
                              • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                              • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                              • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                              • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                              Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 0040949C
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                              • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                              • GetKeyState.USER32(00000010), ref: 004094B8
                              • GetKeyboardState.USER32(?), ref: 004094C5
                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                              • String ID:
                              • API String ID: 3566172867-0
                              • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                              • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                              • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                              • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                              Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ManagerStart
                              • String ID:
                              • API String ID: 276877138-0
                              • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                              • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                              • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                              • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                              Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$CreateFirstNext
                              • String ID: H"G$`'G$`'G
                              • API String ID: 341183262-2774397156
                              • Opcode ID: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                              • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                              • Opcode Fuzzy Hash: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                              • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                              Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                              • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                              • String ID: PowrProf.dll$SetSuspendState
                              • API String ID: 1589313981-1420736420
                              • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                              • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                              • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                              • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                              Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                              • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                              • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                              • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                              • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                              Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                              • wsprintfW.USER32 ref: 0040A13F
                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: EventLocalTimewsprintf
                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                              • API String ID: 1497725170-248792730
                              • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                              • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                              • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                              • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                              Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                              • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                              • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                              • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Resource$FindLoadLockSizeof
                              • String ID: SETTINGS
                              • API String ID: 3473537107-594951305
                              • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                              • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                              • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                              • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                              Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 004087A5
                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstH_prologNext
                              • String ID:
                              • API String ID: 1157919129-0
                              • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                              • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                              • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                              • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                              Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                              • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                              • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                              • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                              • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                              • String ID:
                              • API String ID: 745075371-0
                              • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                              • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                              • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                              • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                              Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0040784D
                              • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                              • String ID:
                              • API String ID: 1771804793-0
                              • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                              • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                              • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                              • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                              Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                              • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                              • String ID:
                              • API String ID: 1735047541-0
                              • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                              • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                              • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                              • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                              Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: A%E$A%E
                              • API String ID: 0-137320553
                              • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                              • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                              • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                              • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                              Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateInfoParametersSystemValue
                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                              • API String ID: 4127273184-3576401099
                              • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                              • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                              • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                              • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                              Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                              • _wcschr.LIBVCRUNTIME ref: 0044F02A
                              • _wcschr.LIBVCRUNTIME ref: 0044F038
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                              • String ID:
                              • API String ID: 4212172061-0
                              • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                              • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                              • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                              • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                              Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: DownloadExecuteFileShell
                              • String ID: open
                              • API String ID: 2825088817-2758837156
                              • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                              • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                              • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                              • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                              Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorInfoLastLocale$_free$_abort
                              • String ID:
                              • API String ID: 2829624132-0
                              • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                              • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                              • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                              • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                              Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 004399A4
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                              • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                              • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                              • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                              Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Crypt$Context$AcquireRandomRelease
                              • String ID:
                              • API String ID: 1815803762-0
                              • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                              • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                              • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                              • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                              Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(00000000), ref: 0040A65D
                              • GetClipboardData.USER32(0000000D), ref: 0040A669
                              • CloseClipboard.USER32 ref: 0040A671
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseDataOpen
                              • String ID:
                              • API String ID: 2058664381-0
                              • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                              • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                              • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                              • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                              Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor
                              • String ID:
                              • API String ID: 2325560087-3916222277
                              • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                              • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                              • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                              • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                              Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .
                              • API String ID: 0-248832578
                              • Opcode ID: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                              • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                              • Opcode Fuzzy Hash: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                              • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                              Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: GetLocaleInfoEx
                              • API String ID: 2299586839-2904428671
                              • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                              • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                              • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                              • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                              Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$FirstNextsend
                              • String ID:
                              • API String ID: 4113138495-0
                              • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                              • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                              • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                              • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                              Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$InfoLocale_abort
                              • String ID:
                              • API String ID: 1663032902-0
                              • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                              • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                              • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                              • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                              Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                              • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                              • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                              • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                              Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale_abort_free
                              • String ID:
                              • API String ID: 2692324296-0
                              • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                              • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                              • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                              • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                              Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                              • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                              • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                              • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                              Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: NameUser
                              • String ID:
                              • API String ID: 2645101109-0
                              • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                              • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                              • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                              • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                              Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                              • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalEnterEnumLocalesSectionSystem
                              • String ID:
                              • API String ID: 1272433827-0
                              • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                              • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                              • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                              • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                              Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                              • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                              • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                              • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                              Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                              • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                              • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                              • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                              Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                              • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                              • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                              • Instruction Fuzzy Hash:
                              Function 0041642D Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                              • GetProcAddress.KERNEL32(00000000), ref: 00416477
                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                              • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                              • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                              • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                              • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                              • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                              • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                              • ResumeThread.KERNEL32(?), ref: 00416773
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                              • GetCurrentProcess.KERNEL32(?), ref: 00416795
                              • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                              • GetLastError.KERNEL32 ref: 004167B8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
                              • API String ID: 4188446516-529412701
                              • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                              • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                              • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                              • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                              Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                              • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                              • DeleteDC.GDI32(00000000), ref: 00416F32
                              • DeleteDC.GDI32(00000000), ref: 00416F35
                              • DeleteObject.GDI32(00000000), ref: 00416F38
                              • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                              • DeleteDC.GDI32(00000000), ref: 00416F6A
                              • DeleteDC.GDI32(00000000), ref: 00416F6D
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                              • GetIconInfo.USER32(?,?), ref: 00416FC5
                              • DeleteObject.GDI32(?), ref: 00416FF4
                              • DeleteObject.GDI32(?), ref: 00417001
                              • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                              • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                              • DeleteDC.GDI32(?), ref: 0041713C
                              • DeleteDC.GDI32(00000000), ref: 0041713F
                              • DeleteObject.GDI32(00000000), ref: 00417142
                              • GlobalFree.KERNEL32(?), ref: 0041714D
                              • DeleteObject.GDI32(00000000), ref: 00417201
                              • GlobalFree.KERNEL32(?), ref: 00417208
                              • DeleteDC.GDI32(?), ref: 00417218
                              • DeleteDC.GDI32(00000000), ref: 00417223
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                              • String ID: DISPLAY
                              • API String ID: 479521175-865373369
                              • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                              • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                              • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                              • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                              Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                              • ExitProcess.KERNEL32 ref: 0040C389
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                              • API String ID: 1861856835-1953526029
                              • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                              • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                              • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                              • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                              Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                              • ExitProcess.KERNEL32(00000000), ref: 00410F05
                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                              • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                              • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                              • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                              • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                              • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                              • Sleep.KERNEL32(000001F4), ref: 004110E7
                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                              • CloseHandle.KERNEL32(00000000), ref: 0041110E
                              • GetCurrentProcessId.KERNEL32 ref: 00411114
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                              • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                              • API String ID: 2649220323-71629269
                              • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                              • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                              • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                              • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                              Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                              • ExitProcess.KERNEL32 ref: 0040BFD7
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: ")$.vbs$05Wu`Wu$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                              • API String ID: 3797177996-2910377041
                              • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                              • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                              • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                              • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                              Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 0040B882
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                              • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                              • _wcslen.LIBCMT ref: 0040B968
                              • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                              • _wcslen.LIBCMT ref: 0040BA25
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                              • ExitProcess.KERNEL32 ref: 0040BC36
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                              • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                              • API String ID: 2743683619-2376316431
                              • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                              • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                              • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                              • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                              Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                              • SetEvent.KERNEL32 ref: 004191CF
                              • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                              • CloseHandle.KERNEL32 ref: 004191F0
                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                              • API String ID: 738084811-1354618412
                              • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                              • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                              • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                              • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                              Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                              • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                              • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                              • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Write$Create
                              • String ID: RIFF$WAVE$data$fmt
                              • API String ID: 1602526932-4212202414
                              • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                              • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                              • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                              • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                              Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                              • LoadLibraryA.KERNEL32(?), ref: 0041386D
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                              • FreeLibrary.KERNEL32(00000000), ref: 00413894
                              • LoadLibraryA.KERNEL32(?), ref: 004138CC
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                              • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                              • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                              • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                              • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                              • API String ID: 2490988753-3443138237
                              • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                              • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                              • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                              • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                              Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$EnvironmentVariable$_wcschr
                              • String ID:
                              • API String ID: 3899193279-0
                              • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                              • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                              • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                              • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                              Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                              • _free.LIBCMT ref: 0044E4DF
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 0044E501
                              • _free.LIBCMT ref: 0044E516
                              • _free.LIBCMT ref: 0044E521
                              • _free.LIBCMT ref: 0044E543
                              • _free.LIBCMT ref: 0044E556
                              • _free.LIBCMT ref: 0044E564
                              • _free.LIBCMT ref: 0044E56F
                              • _free.LIBCMT ref: 0044E5A7
                              • _free.LIBCMT ref: 0044E5AE
                              • _free.LIBCMT ref: 0044E5CB
                              • _free.LIBCMT ref: 0044E5E3
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID: pF
                              • API String ID: 161543041-2973420481
                              • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                              • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                              • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                              • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                              Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                              • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                              • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                              • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                              • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                              • Sleep.KERNEL32(00000064), ref: 00411C63
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                              • String ID: /stext "$$.F$@#G$@#G
                              • API String ID: 1223786279-2596709126
                              • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                              • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                              • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                              • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                              Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: pF
                              • API String ID: 269201875-2973420481
                              • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                              • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                              • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                              • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                              Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                              • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                              • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                              • API String ID: 193334293-3226144251
                              • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                              • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                              • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                              • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                              Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                              • RegCloseKey.ADVAPI32(?), ref: 0041A749
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnumOpen
                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                              • API String ID: 1332880857-3714951968
                              • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                              • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                              • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                              • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                              Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                              • GetCursorPos.USER32(?), ref: 0041B39E
                              • SetForegroundWindow.USER32(?), ref: 0041B3A7
                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                              • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                              • ExitProcess.KERNEL32 ref: 0041B41A
                              • CreatePopupMenu.USER32 ref: 0041B420
                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                              • String ID: Close
                              • API String ID: 1657328048-3535843008
                              • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                              • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                              • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                              • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                              Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                              • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                              • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                              • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                              Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                              • __aulldiv.LIBCMT ref: 00407D89
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                              • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                              • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                              • CloseHandle.KERNEL32(00000000), ref: 00408038
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                              • API String ID: 3086580692-2596673759
                              • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                              • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                              • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                              • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                              Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                              • ExitProcess.KERNEL32 ref: 0040C57D
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                              • API String ID: 1913171305-2600661426
                              • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                              • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                              • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                              • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                              Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                              Download Yara Rule
                              APIs
                              • connect.WS2_32(?,?,?), ref: 004048C0
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                              • WSAGetLastError.WS2_32 ref: 00404A01
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                              • API String ID: 994465650-2151626615
                              • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                              • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                              • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                              • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                              Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                              • __dosmaperr.LIBCMT ref: 00452ED6
                              • GetFileType.KERNEL32(00000000), ref: 00452EE2
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                              • __dosmaperr.LIBCMT ref: 00452EF5
                              • CloseHandle.KERNEL32(00000000), ref: 00452F15
                              • CloseHandle.KERNEL32(00000000), ref: 0045305F
                              • GetLastError.KERNEL32 ref: 00453091
                              • __dosmaperr.LIBCMT ref: 00453098
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                              • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                              • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                              • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                              Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 65535$udp
                              • API String ID: 0-1267037602
                              • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                              • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                              • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                              • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                              Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 00409C81
                              • Sleep.KERNEL32(000001F4), ref: 00409C8C
                              • GetForegroundWindow.USER32 ref: 00409C92
                              • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                              • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                              • String ID: [${ User has been idle for $ minutes }$]
                              • API String ID: 911427763-3954389425
                              • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                              • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                              • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                              • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                              Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: LongNamePath
                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                              • API String ID: 82841172-425784914
                              • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                              • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                              • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                              • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                              Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                              • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                              • __dosmaperr.LIBCMT ref: 00438646
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                              • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                              • __dosmaperr.LIBCMT ref: 00438683
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                              • __dosmaperr.LIBCMT ref: 004386D7
                              • _free.LIBCMT ref: 004386E3
                              • _free.LIBCMT ref: 004386EA
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                              • String ID:
                              • API String ID: 2441525078-0
                              • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                              • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                              • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                              • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                              Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: pF$tF
                              • API String ID: 269201875-2954683558
                              • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                              • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                              • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                              • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                              Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00001388), ref: 00409738
                                • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                              • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                              • String ID: 05Wu`Wu$H"G$H"G
                              • API String ID: 3795512280-2552467925
                              • Opcode ID: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                              • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                              • Opcode Fuzzy Hash: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                              • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                              Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 0040549F
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                              • TranslateMessage.USER32(?), ref: 0040555E
                              • DispatchMessageA.USER32(?), ref: 00405569
                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                              • String ID: CloseChat$DisplayMessage$GetMessage
                              • API String ID: 2956720200-749203953
                              • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                              • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                              • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                              • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                              Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                              • CloseHandle.KERNEL32(00000000), ref: 00416123
                              • DeleteFileA.KERNEL32(00000000), ref: 00416132
                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                              • String ID: <$@$@%G$@%G$Temp
                              • API String ID: 1704390241-4139030828
                              • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                              • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                              • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                              • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                              Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                              • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                              • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                              • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                              Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00445645
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 00445651
                              • _free.LIBCMT ref: 0044565C
                              • _free.LIBCMT ref: 00445667
                              • _free.LIBCMT ref: 00445672
                              • _free.LIBCMT ref: 0044567D
                              • _free.LIBCMT ref: 00445688
                              • _free.LIBCMT ref: 00445693
                              • _free.LIBCMT ref: 0044569E
                              • _free.LIBCMT ref: 004456AC
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                              • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                              • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                              • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                              Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00417F6F
                              • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                              • Sleep.KERNEL32(000003E8), ref: 004180B3
                              • GetLocalTime.KERNEL32(?), ref: 004180BB
                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                              • API String ID: 489098229-3790400642
                              • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                              • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                              • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                              • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                              Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: DecodePointer
                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                              • API String ID: 3527080286-3064271455
                              • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                              • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                              • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                              • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                              Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • Sleep.KERNEL32(00000064), ref: 00415A46
                              • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CreateDeleteExecuteShellSleep
                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                              • API String ID: 1462127192-2001430897
                              • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                              • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                              • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                              • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                              Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                              • ExitProcess.KERNEL32 ref: 00406782
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteExitProcessShell
                              • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                              • API String ID: 1124553745-1488154373
                              • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                              • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                              • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                              • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                              Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                              • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocConsoleShowWindow
                              • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                              • API String ID: 4118500197-4025029772
                              • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                              • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                              • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                              • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                              Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                              • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                              • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                              • TranslateMessage.USER32(?), ref: 0041B29E
                              • DispatchMessageA.USER32(?), ref: 0041B2A8
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                              • String ID: Remcos
                              • API String ID: 1970332568-165870891
                              • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                              • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                              • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                              • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                              Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                              • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                              • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                              • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                              Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                              • __alloca_probe_16.LIBCMT ref: 004510CA
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                              • __alloca_probe_16.LIBCMT ref: 00451174
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                              • __freea.LIBCMT ref: 004511E3
                              • __freea.LIBCMT ref: 004511EF
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                              • String ID:
                              • API String ID: 201697637-0
                              • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                              • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                              • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                              • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                              Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                              • _memcmp.LIBVCRUNTIME ref: 00442935
                              • _free.LIBCMT ref: 004429A6
                              • _free.LIBCMT ref: 004429BF
                              • _free.LIBCMT ref: 004429F1
                              • _free.LIBCMT ref: 004429FA
                              • _free.LIBCMT ref: 00442A06
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorLast$_abort_memcmp
                              • String ID: C
                              • API String ID: 1679612858-1037565863
                              • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                              • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                              • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                              • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                              Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: tcp$udp
                              • API String ID: 0-3725065008
                              • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                              • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                              • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                              • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                              Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Eventinet_ntoa
                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                              • API String ID: 3578746661-168337528
                              • Opcode ID: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                              • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                              • Opcode Fuzzy Hash: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                              • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                              Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                              • String ID: .part
                              • API String ID: 1303771098-3499674018
                              • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                              • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                              • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                              • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                              Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                              • __alloca_probe_16.LIBCMT ref: 00447056
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                              • __alloca_probe_16.LIBCMT ref: 0044713B
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                              • __freea.LIBCMT ref: 004471AB
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • __freea.LIBCMT ref: 004471B4
                              • __freea.LIBCMT ref: 004471D9
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                              • String ID:
                              • API String ID: 3864826663-0
                              • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                              • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                              • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                              • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                              Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                              • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: InputSend
                              • String ID:
                              • API String ID: 3431551938-0
                              • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                              • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                              • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                              • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                              Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 00414F41
                              • EmptyClipboard.USER32 ref: 00414F4F
                              • CloseClipboard.USER32 ref: 00414F55
                              • OpenClipboard.USER32 ref: 00414F5C
                              • GetClipboardData.USER32(0000000D), ref: 00414F6C
                              • GlobalLock.KERNEL32(00000000), ref: 00414F75
                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                              • CloseClipboard.USER32 ref: 00414F84
                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                              • String ID:
                              • API String ID: 2172192267-0
                              • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                              • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                              • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                              • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                              Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                              • __fassign.LIBCMT ref: 00447814
                              • __fassign.LIBCMT ref: 0044782F
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                              • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                              • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID:
                              • API String ID: 1324828854-0
                              • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                              • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                              • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                              • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                              Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: $-E$$-E
                              • API String ID: 269201875-3140958853
                              • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                              • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                              • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                              • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                              Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • _strftime.LIBCMT ref: 00401D30
                                • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                              • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                              • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                              • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                              • String ID: %Y-%m-%d %H.%M$.wav
                              • API String ID: 3809562944-3597965672
                              • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                              • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                              • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                              • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                              Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                              • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                              • API String ID: 1133728706-4073444585
                              • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                              • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                              • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                              • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                              Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                              • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                              • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                              • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                              Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                              • _free.LIBCMT ref: 0044E128
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 0044E133
                              • _free.LIBCMT ref: 0044E13E
                              • _free.LIBCMT ref: 0044E192
                              • _free.LIBCMT ref: 0044E19D
                              • _free.LIBCMT ref: 0044E1A8
                              • _free.LIBCMT ref: 0044E1B3
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                              • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                              • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                              • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                              Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                              • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCurrentOpenProcessQueryValue
                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                              • API String ID: 1866151309-2070987746
                              • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                              • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                              • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                              • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                              Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                              • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                              • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                              • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                              • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                              Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                              • GetLastError.KERNEL32 ref: 0040AA28
                              Strings
                              • [Chrome Cookies not found], xrefs: 0040AA42
                              • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                              • UserProfile, xrefs: 0040A9EE
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                              • API String ID: 2018770650-304995407
                              • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                              • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                              • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                              • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                              Function 00418D76 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                              • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                              • Sleep.KERNEL32(00002710), ref: 00418DBD
                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: PlaySound$HandleLocalModuleSleepTime
                              • String ID: Alarm triggered$`Wu
                              • API String ID: 614609389-1738255680
                              • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                              • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                              • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                              • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                              Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              • __allrem.LIBCMT ref: 00438A09
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                              • __allrem.LIBCMT ref: 00438A3C
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                              • __allrem.LIBCMT ref: 00438A71
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                              • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                              • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                              • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                              Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: __cftoe
                              • String ID:
                              • API String ID: 4189289331-0
                              • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                              • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                              • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                              • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                              Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea$__alloca_probe_16_free
                              • String ID: a/p$am/pm
                              • API String ID: 2936374016-3206640213
                              • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                              • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                              • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                              • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                              Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                              • int.LIBCPMT ref: 0040F8D7
                                • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                              • std::_Facet_Register.LIBCPMT ref: 0040F917
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                              • __Init_thread_footer.LIBCMT ref: 0040F97F
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                              • String ID:
                              • API String ID: 3815856325-0
                              • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                              • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                              • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                              • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                              Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                              • String ID:
                              • API String ID: 493672254-0
                              • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                              • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                              • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                              • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                              Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                              • _free.LIBCMT ref: 0044575C
                              • _free.LIBCMT ref: 00445784
                              • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                              • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                              • _abort.LIBCMT ref: 004457A3
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                              • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                              • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                              • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                              Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                              • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                              • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                              • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                              Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                              • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                              • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                              • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                              Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                              • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                              • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                              • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                              Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                              • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                              • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSizeSleep
                              • String ID: h G
                              • API String ID: 1958988193-3300504347
                              • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                              • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                              • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                              • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                              Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegisterClassExA.USER32(00000030), ref: 0041B310
                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                              • GetLastError.KERNEL32 ref: 0041B335
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ClassCreateErrorLastRegisterWindow
                              • String ID: 0$MsgWindowClass
                              • API String ID: 2877667751-2410386613
                              • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                              • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                              • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                              • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                              Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                              • _UnwindNestedFrames.LIBCMT ref: 00437631
                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                              • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                              • String ID: /zC
                              • API String ID: 2633735394-4132788633
                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                              • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                              • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                              Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                              • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                              • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                              • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: MetricsSystem
                              • String ID: ]tA
                              • API String ID: 4116985748-3517819141
                              • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                              • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                              • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                              • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                              Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                              Strings
                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                              • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreateProcess
                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                              • API String ID: 2922976086-4183131282
                              • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                              • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                              • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                              • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                              Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                              • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                              • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                              • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                              • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                              Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              Strings
                              • Connection KeepAlive | Disabled, xrefs: 004050D9
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                              • String ID: Connection KeepAlive | Disabled
                              • API String ID: 2993684571-3818284553
                              • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                              • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                              • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                              • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                              Function 004013F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                              • GetProcAddress.KERNEL32(00000000), ref: 00401403
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: GetCursorInfo$User32.dll$`Wu
                              • API String ID: 1646373207-4024354691
                              • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                              • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                              • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                              • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                              Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                              • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                              • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                              • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                              Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prologSleep
                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                              • API String ID: 3469354165-3547787478
                              • Opcode ID: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                              • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                              • Opcode Fuzzy Hash: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                              • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                              Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • _free.LIBCMT ref: 00442318
                              • _free.LIBCMT ref: 0044232F
                              • _free.LIBCMT ref: 0044234E
                              • _free.LIBCMT ref: 00442369
                              • _free.LIBCMT ref: 00442380
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$AllocateHeap
                              • String ID:
                              • API String ID: 3033488037-0
                              • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                              • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                              • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                              • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                              Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                              • _free.LIBCMT ref: 004468EC
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 00446AB8
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                              • String ID:
                              • API String ID: 1286116820-0
                              • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                              • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                              • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                              • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                              Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                              • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                              • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                              • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                              Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                              • __alloca_probe_16.LIBCMT ref: 0044E391
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                              • __freea.LIBCMT ref: 0044E3FD
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                              • String ID:
                              • API String ID: 313313983-0
                              • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                              • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                              • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                              • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                              Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                              • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                              • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                              • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                              • waveInStart.WINMM ref: 00401CDE
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                              • String ID:
                              • API String ID: 1356121797-0
                              • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                              • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                              • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                              • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                              Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                              • _free.LIBCMT ref: 0044C59F
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                              • String ID:
                              • API String ID: 336800556-0
                              • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                              • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                              • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                              • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                              Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                              • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreatePointerWrite
                              • String ID:
                              • API String ID: 1852769593-0
                              • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                              • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                              • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                              • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                              Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                              • int.LIBCPMT ref: 0040FBE8
                                • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                              • std::_Facet_Register.LIBCPMT ref: 0040FC28
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                              • String ID:
                              • API String ID: 2536120697-0
                              • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                              • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                              • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                              • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                              Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 0044DBB4
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 0044DBC6
                              • _free.LIBCMT ref: 0044DBD8
                              • _free.LIBCMT ref: 0044DBEA
                              • _free.LIBCMT ref: 0044DBFC
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                              • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                              • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                              • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                              Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00441566
                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                              • _free.LIBCMT ref: 00441578
                              • _free.LIBCMT ref: 0044158B
                              • _free.LIBCMT ref: 0044159C
                              • _free.LIBCMT ref: 004415AD
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                              • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                              • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                              • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                              Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Enum$InfoQueryValue
                              • String ID: [regsplt]
                              • API String ID: 3554306468-4262303796
                              • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                              • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                              • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                              • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                              Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • _strpbrk.LIBCMT ref: 0044B918
                              • _free.LIBCMT ref: 0044BA35
                                • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                                • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                                • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                              • String ID: *?$.
                              • API String ID: 2812119850-3972193922
                              • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                              • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                              • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                              • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                              Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: __alloca_probe_16__freea
                              • String ID: H"G$H"GH"G
                              • API String ID: 1635606685-3036711414
                              • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                              • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                              • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                              • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                              Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 0040189E
                              • ExitThread.KERNEL32 ref: 004018D6
                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                              • String ID: 8:G
                              • API String ID: 1649129571-405301104
                              • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                              • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                              • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                              • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                              Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\AASHNosznogz.exe,00000104), ref: 00440975
                              • _free.LIBCMT ref: 00440A40
                              • _free.LIBCMT ref: 00440A4A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: C:\Users\user\AppData\Roaming\AASHNosznogz.exe
                              • API String ID: 2506810119-3956424175
                              • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                              • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                              • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                              • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                              Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                              • _wcslen.LIBCMT ref: 00419744
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                              • String ID: .exe$program files (x86)\$program files\
                              • API String ID: 37874593-1203593143
                              • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                              • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                              • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                              • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                              Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                              • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                              • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTimewsprintf
                              • String ID: Offline Keylogger Started
                              • API String ID: 465354869-4114347211
                              • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                              • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                              • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                              • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                              Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                              • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                              • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTime$wsprintf
                              • String ID: Online Keylogger Started
                              • API String ID: 112202259-1258561607
                              • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                              • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                              • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                              • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                              Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?), ref: 00404F61
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                              • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                              Strings
                              • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$EventLocalThreadTime
                              • String ID: Connection KeepAlive | Enabled | Timeout:
                              • API String ID: 2532271599-507513762
                              • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                              • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                              • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                              • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                              Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                              • GetProcAddress.KERNEL32(00000000), ref: 00406097
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: CryptUnprotectData$crypt32
                              • API String ID: 2574300362-2380590389
                              • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                              • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                              • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                              • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                              Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                              • CloseHandle.KERNEL32(?), ref: 004051AA
                              • SetEvent.KERNEL32(?), ref: 004051B9
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandleObjectSingleWait
                              • String ID: Connection Timeout
                              • API String ID: 2055531096-499159329
                              • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                              • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                              • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                              • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                              Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 2005118841-1866435925
                              • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                              • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                              • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                              • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                              Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                              • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                              • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: origmsc
                              • API String ID: 3677997916-68016026
                              • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                              • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                              • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                              • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                              Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell
                              • String ID: /C $cmd.exe$open
                              • API String ID: 587946157-3896048727
                              • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                              • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                              • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                              • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                              Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                              Strings
                              • http\shell\open\command, xrefs: 00412026
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: http\shell\open\command
                              • API String ID: 3677997916-1487954565
                              • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                              • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                              • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                              • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                              Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                              • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                              • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                              Strings
                              • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: Software\Classes\mscfile\shell\open\command
                              • API String ID: 1818849710-505396733
                              • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                              • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                              • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                              • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                              Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                              • String ID: bad locale name
                              • API String ID: 3628047217-1405518554
                              • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                              • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                              • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                              • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                              Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                              • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                              • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: P0F
                              • API String ID: 1818849710-3540264436
                              • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                              • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                              • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                              • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                              Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                              • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetLastInputInfo$User32.dll
                              • API String ID: 2574300362-1519888992
                              • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                              • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                              • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                              • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                              Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: __alldvrm$_strrchr
                              • String ID:
                              • API String ID: 1036877536-0
                              • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                              • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                              • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                              • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                              Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                              • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                              • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                              • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                              Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                              • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                              • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                              • String ID:
                              • API String ID: 3360349984-0
                              • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                              • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                              • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                              • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                              Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • [Cleared browsers logins and cookies.], xrefs: 0040B025
                              • Cleared browsers logins and cookies., xrefs: 0040B036
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep
                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                              • API String ID: 3472027048-1236744412
                              • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                              • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                              • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                              • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                              Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                              • Sleep.KERNEL32(00000BB8), ref: 004111DF
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQuerySleepValue
                              • String ID: H"G$exepath$!G
                              • API String ID: 4119054056-2148977334
                              • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                              • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                              • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                              • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                              Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                              • Sleep.KERNEL32(000001F4), ref: 0040955A
                              • Sleep.KERNEL32(00000064), ref: 004095F5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$ForegroundLength
                              • String ID: [ $ ]
                              • API String ID: 3309952895-93608704
                              • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                              • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                              • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                              • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                              Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                              • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                              • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                              • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                              Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                              • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                              • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                              • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                              Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                              • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleReadSize
                              • String ID:
                              • API String ID: 3919263394-0
                              • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                              • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                              • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                              • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                              Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                              • String ID:
                              • API String ID: 1761009282-0
                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                              • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                              • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                              Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHandling__start
                              • String ID: pow
                              • API String ID: 3213639722-2276729525
                              • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                              • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                              • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                              • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                              Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                              • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                              Strings
                              • /sort "Visit Time" /stext ", xrefs: 00404092
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                              • String ID: /sort "Visit Time" /stext "
                              • API String ID: 368326130-1573945896
                              • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                              • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                              • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                              • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                              Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                              • __Init_thread_footer.LIBCMT ref: 0040A6E3
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Init_thread_footer__onexit
                              • String ID: [End of clipboard]$[Text copied to clipboard]
                              • API String ID: 1881088180-3686566968
                              • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                              • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                              • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                              • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                              Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ACP$OCP
                              • API String ID: 0-711371036
                              • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                              • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                              • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                              • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                              Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                              • IsWindowVisible.USER32(?), ref: 00415B37
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$TextVisible
                              • String ID: (%G
                              • API String ID: 1670992164-3377777310
                              • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                              • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                              • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                              • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                              Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                              Strings
                              • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: Connection KeepAlive | Enabled | Timeout:
                              • API String ID: 481472006-507513762
                              • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                              • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                              • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                              • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                              Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                              • ___raise_securityfailure.LIBCMT ref: 00432E76
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: FeaturePresentProcessor___raise_securityfailure
                              • String ID: (F
                              • API String ID: 3761405300-3109638091
                              • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                              • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                              • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                              • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                              Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: | $%02i:%02i:%02i:%03i
                              • API String ID: 481472006-2430845779
                              • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                              • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                              • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                              • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                              Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: alarm.wav$x(G
                              • API String ID: 1174141254-2413638199
                              • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                              • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                              • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                              • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                              Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                              • CloseHandle.KERNEL32(?), ref: 00409FFD
                              • UnhookWindowsHookEx.USER32 ref: 0040A010
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                              • String ID: Online Keylogger Stopped
                              • API String ID: 1623830855-1496645233
                              • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                              • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                              • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                              • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                              Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                              • API String ID: 1174141254-2800177040
                              • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                              • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                              • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                              • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                              Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                              • API String ID: 1174141254-4188645398
                              • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                              • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                              • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                              • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                              Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: AppData$\Opera Software\Opera Stable\
                              • API String ID: 1174141254-1629609700
                              • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                              • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                              • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                              • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                              Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000011), ref: 0040A597
                                • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                              • String ID: [AltL]$[AltR]
                              • API String ID: 3195419117-2658077756
                              • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                              • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                              • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                              • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                              Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000012), ref: 0040A5F1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: State
                              • String ID: [CtrlL]$[CtrlR]
                              • API String ID: 1649606143-2446555240
                              • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                              • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                              • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                              • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                              Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                              • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteOpenValue
                              • String ID: 6h@
                              • API String ID: 2654517830-73392143
                              • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                              • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                              • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                              • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                              Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                              • GetLastError.KERNEL32 ref: 0043B4E9
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                              • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                              • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                              • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                              Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                              • SetLastError.KERNEL32(0000007F), ref: 004106DF
                              • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                              Memory Dump Source
                              • Source File: 0000000C.00000002.1456665820.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_400000_AASHNosznogz.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastRead
                              • String ID:
                              • API String ID: 4100373531-0
                              • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                              • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                              • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                              • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19